23542300x800000000000000035126556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:51.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6321C77A3DA67BDD66FD3E9812FF8D3F,SHA256=6CCA6072D7C1F6A8E9066D235B2D7DB18DA5939B8104FF7E3CD889926F105757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:51.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4870E7F29205A92649D63BCAD08C767,SHA256=B5057ED7345061913A7A7DA39368B4956D43B31036818E8D5ED1E145FAAE7417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:52.686{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA47E1CA33091A7FF29CB4894F316C1,SHA256=B6681F4BB3EB6DD5BD52D605C4B201066B8984C039BFBE38569B09532026C6E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:16.295{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61907-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:53.700{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CB9B7CBA2C4D2D73B241EEB7F3B5B2,SHA256=3991F5F05302C78F9AA58C8E69A4DC1743245E5609E7097EA7782F23B9969ED6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:54.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F66AC83C736D76FB24E7375895A1603,SHA256=0C59424712C18425757029390B297E85016DB979ADE52EF688314F17BFF9E345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:18.396{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61908-false10.0.1.12-8000-
23542300x800000000000000035126563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:55.767{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D29124D71C377AC5D712F9E1B2F186B,SHA256=782CE046118B64675CD723B1527776982EAFDC3BE9B7BD1EC9942A347833C047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
13241300x800000000000000035126562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:48:55.236{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5c4-0x7c8b947f)
23542300x800000000000000035126566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:56.781{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3F826C8066BE5C922117E1BF59EE31,SHA256=7520EED70683F9A537371149C509DB5A139D4F018BEA41399ACB6A7C3712DF88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:21.311{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61909-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:56.182{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD025BB22A822FF00DE8582943B9D862,SHA256=6BE162290C8497781CBE247FA20AB53D229A38EB483FBA0D09F654AEDCF43942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:57.814{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B56CA506DABEC2B5A15A721D0636CF6,SHA256=7BACAC2D6F533172D9CF730A62A6EF49C79EB92E0483F55D5D8336447BEA12C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:21.357{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp
23542300x800000000000000035126570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:58.832{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32F354B4527C43B6498530DC0914148,SHA256=1C693F1D48B39A210232CD8CCF4FC55B0D7CFEF34E3C79EE1FA385EEFFA1E96F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:23.408{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61910-false10.0.1.12-8000-
23542300x800000000000000035126572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:59.878{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:48:59.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3924D0CEAD78C8AFF1761523911D7209,SHA256=F3624496E6D7D718EEA4FC8D53693B704568D14967F7A6ED18F6E00C99AC90A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:00.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AB9C66EAA1CD11AE7285AB05360731,SHA256=5C65CFE63C35268C1B4C1978164FF1EE48257FBAB31888BC9D1F17D65C4F06CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:26.037{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61911-false10.0.1.12-8089-
23542300x800000000000000035126574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:01.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F133CD62048526E5CDA850CBBE2E35,SHA256=7D2C57E76B8BE8A890569724AF342202E0E455C7882C9C8C6DE2CE8D2C78F677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.321{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61912-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:02.915{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA219144E793D9B15FA283B6EC6E326,SHA256=C56E5025D16B14E1F1219FAEED9F9F7F28CCD1420E8F0422AEFEF7DB0FA4F58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:02.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46D7A92C0068C9A9C295F1A7402B8181,SHA256=A9E3C11780E08A3CE562EF1BA814E00D24E48631390A791485A23A129AFD8548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:03.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3159F49801D012BF2B935FEF1A465C4D,SHA256=9BFCF73DC10558AF7C25F7CB6A282798DA664A978A62F9B4C0CBD14D9F05708E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:04.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F862C8497ABBDA6B0A2513E81B50FA,SHA256=5EF1845012BB84ABD3938FB2A1BFA5096314437DC7E281C4A6A171863E82600D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:05.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00028EA731DA60D9CCA69E12FE45F3D0,SHA256=FF2E1CF009B06165F92611CAB3AB6F0EF801E13AD5264E08BA3B2FE5B70CC6E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:29.224{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61913-false10.0.1.12-8000-
23542300x800000000000000035126583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:07.009{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DC850F03C18709434575971AE1C418,SHA256=4508FB3C0774C640F1B95E0A9D2C398E2EC073A18200ECAEC7C246FFCF4963EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:08.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B907CF8D43FE81198459BFB2A223DEC0,SHA256=8039543D6F0632A4A360070216A1C920D9588C2FC5A69E5823C65DB85BBDF7EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:08.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA86B39C216EBEB14D8A868CF00C4D4,SHA256=6F72118251015D92EBAA2B7EF0DF721AA81751BC23F58D812E95CFDABD517DCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:33.336{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61914-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:09.074{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B79FE659B421B27FAE3D4438DE2DD0,SHA256=D8D51687EBDE0888DD46079E2A0310C0730D9FF7C109AB647EC31FFE8A07CFCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.526{B81B27B7-8156-613A-8C96-03000000C801}6848344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.341{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.327{B81B27B7-8156-613A-8C96-03000000C801}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035126589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:34.365{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61915-false10.0.1.12-8000-
23542300x800000000000000035126588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:10.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B273001B9A378A9104E9F782FF2522CE,SHA256=F0CFF7273420CCEA17776E0CD61F79B827716567ED81F099C79B99EBB4E85DB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222E9909C1E2B54C922D7BE431BB1608,SHA256=3430C9405BBA9261B1CB4C423AF2458E0FF19BF40E08864ADCA784A7FDBED15E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33906FCFCC4FCC6805E80D9D6D90A30,SHA256=D272A98EF96030B94A0A32C536EFADB7987920736A3A2AA359A25DD4F1BB46D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E93E53D921DAA162726BC83B34BF438,SHA256=B85EDEB38609BD421541A36676669DC54A1D0CFB58BDA7DB32C67BB0D13B52F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.041{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:11.026{B81B27B7-8157-613A-8D96-03000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:12.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4070F9848599473B0F1F346A33C7E818,SHA256=91AA10FD645626341D6B9F6A0DEF9739EC88ECD0C0EBA3D352986A907007FB91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:13.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70FE1086BED9B5973F303457260377,SHA256=5651347C4D7C4A5E3752D3CDC572F4B9B3914FDB8C52317E4FDD0D8E1A0DB66B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:14.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=079F3CD4FDB459C2F05730BA1DB1E12A,SHA256=B5BACC04AA95EF1457276265AB4AAFF772863A22A493AC0F2408188348185B71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:14.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A992CDA8E7AAF0F932608A50A488B35C,SHA256=BA8587CE11B982EF21BED8485A2A0B88FA673F560762C8F448254C79F52EDDB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.265{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61917-false10.0.1.12-8000-
354300x800000000000000035126615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:39.337{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61916-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:15.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3FA3017CDC446AC4F3E5E218B24767,SHA256=5460525D6A1F4767867FFF480F65C451788D81148AB3DB58DACC55E4BE8AC1FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:16.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8916FC900A118A59B8E0395EDC5B4F,SHA256=0D15155FBF06CF20C9A621612B1531198F17BBF2B0A4BDC0B3CB39E9AC216EF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:17.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FFD67222FA7D764E0DA3E6F2F7A39E,SHA256=361E79F4B3D48069D7AF12086AC74C3F40C1FDAAC1DF6C0E220052B8AD1628A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:18.257{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545EB953D9C5C547CF61CC14BBBA25B6,SHA256=E362C60CF08E30AA270DEE18325D6FE6B9DE0B2367F44A26CD2D3D4EA93B6D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:19.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BC4693EE2FFC772ACD4A0AAF856333,SHA256=EFE3AE197CB2A20F992B8D617EE2DF7F2E17D0AD451BD9A38B8DFC8B924F70EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:20.387{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF512BEDD4933A532272E98DE5170D5C,SHA256=422F153DF6870BE7B0A445F380D6FED132C117F580487A8300A9BD071B442594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:20.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE43A3040C7ECF91317F0A6A6B0B118,SHA256=2B4C00ED9F9CB70349131ECBB97382921C5D2D485D08E0EB79E1DFEA43F2BABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:46.299{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61919-false10.0.1.12-8000-
354300x800000000000000035126624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:45.347{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61918-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:21.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D06C83DC90E2EFE4A2257EDF8FDB84C,SHA256=8469F213A605ECCB90AB5498BFB0D97B759CE0EDF1877A2C91A2E3E815244FCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:22.338{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8BBEAE6D44EA1AFAEE768DF6F6F513,SHA256=80084B6419C46CACC9D8B8DAF9F24150C2DE80CC95B5A9716AB0DFB3683F6771,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:23.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A2279638BD7BCD40CD42F55665EC0,SHA256=344AEC4821AA410A891C58ED05764501E0988BA2F19F609912E4843EB3CC285A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:24.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45171B2F6400F80171085C3DC7819DB9,SHA256=2665C9863968F493612965F105161F674CEC20BC9A144C5688826B04E3AB7ED5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:50.360{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61920-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:25.405{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F1EB770EAC5E0638D10D5863286B0,SHA256=43E2996B6CBADC175977E563C92F095C60DAA1A4A196DE2B1E608320978438CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:25.203{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=66D609C83ED496527EDA070E41E1A671,SHA256=D07B374E5AF733A0F04CA598CF3136387CCA075E603BE768B873C40E425A4274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:51.328{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61921-false10.0.1.12-8000-
23542300x800000000000000035126632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:26.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740675713385C47796C449B0D3D8F006,SHA256=C0250B143259BC6FE1FC736FD6041816846E04D89CE311F75A8726ACAAE7E935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.902{B81B27B7-8167-613A-8F96-03000000C801}66046748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.735{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.720{B81B27B7-8167-613A-8F96-03000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0150DFE47CDCDCD0553370D23E9D6B,SHA256=D5E8724B98E4135E5B09DF57F1DEC9B43BC36AEF384F72727D39CD4206D2DA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.035{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:27.021{B81B27B7-8167-613A-8E96-03000000C801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:28.466{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECFFA07EE94973C42E25E82F52274D1,SHA256=549372BA67337138C3CB9987C8F708754EF6EF6733FF2CE7798340FC5B09D56F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:28.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F31FB035991133CAE758207BC1E9635,SHA256=4927C168BA8440DE18BF94616D8F19C5825502D0D44F75783AF57767D8DC7F8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:28.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222E9909C1E2B54C922D7BE431BB1608,SHA256=3430C9405BBA9261B1CB4C423AF2458E0FF19BF40E08864ADCA784A7FDBED15E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:29.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85716C0669CE726B153FBBE83101A3B,SHA256=D07443ADAD224199AE5B966D95E2B6A47BABB433C9DA32439DDDC6EF9922C4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:30.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16185039FC0B29AF17A17C1E467420BC,SHA256=902978F4A60AA8BEBAA006D08A26A78A925DA157348A745072B5FEFB3280FFD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:56.430{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61923-false10.0.1.12-8000-
354300x800000000000000035126659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:56.371{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61922-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:31.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86347C6916CDF23C27B1C4BD894819A,SHA256=992116667C0BC4CEEDF18D1FC0BF4E28CE29BD792F8C3F6DA3DB968636ECB43C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:31.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCF4C650A63F4009F6FF3347175864DE,SHA256=B8A8B0A8E632AE299F23E538D4B96E9D269B3EB7B1489AC86ADB339413DBAA35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:32.753{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7247bf40.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:32.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE12C24533C80DC271CAF210F6044AC,SHA256=2E4FF70A88503BEB1D7567D8504C5AE1E3560C12DD885CA4C02A091E9ADFCE46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:33.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E7927FC5634CED73A21A6B50DE9977,SHA256=A26D1D09D20D8419E2EE1C36BC9C8797FDA3C792834B6744E3120CC36D35CAD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:34.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6F621BE3F3C17246A21CEC246012AB,SHA256=13C21FE929EB24455E7237D790346439C0D276AC35FFAD74A5F0B1595B57911C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:35.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE16AF587DC0B7E662903E871E27A36,SHA256=9483D89D2C52EF99B943A97501E37EBAD330CAF0BD52ED13A8CD49D27F2B76A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:36.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C269BAED98FC1AFDD8B0504A7DBA63,SHA256=6DAF47828559BC659B68A07E26F1D89DC37DA701972B596EAE2051783CC93711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:37.934{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=14ECA6AEC8797FA835E36B1D5996D1FF,SHA256=3C75E2C8540959D5AD7CEE9CF37AA76E0B5CFBDBB1F9C9517ADA4E4F0E6D7CC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:37.666{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E9CB930C628E74999C5CDB408F1CA4,SHA256=5802E66E71171CEFE78C2248A5F69BACC6CC7ACC2DF3D9DC73CC4C297A0503C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:37.235{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92E5543CC58D0A5CAB098A1AEC5E8B39,SHA256=8FBABA5D0BDDDECCE6BA674E1E174C7D9340F43E74896A8C79E0855EE7B0A27C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:02.395{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61925-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:02.356{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61924-false10.0.1.12-8000-
23542300x800000000000000035126672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:38.750{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5539B17710F76B6C5F696BD5DF765BC,SHA256=E8D3878F50805C87942099E82EC71699E23C4F884EED914FD812AFCED954B88E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:38.618{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3EA9D18E53CA241BAACBCB8189F7C009,SHA256=70AB73E939D77127837A7B10222519D8EE8EA6323A2099EE595D304BFA534BC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:39.799{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD81B1D387C3C6B6A09097F392B0CCB,SHA256=55B4F1B5B25F8CD40846032B6EEE98EE32F040595E9CC1BFEA4EE16569558AA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.880{B81B27B7-8174-613A-9096-03000000C801}62565264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035126684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05551B85612BCF80ABC6B6AE152EBCD,SHA256=EC7D955B64B36FE7A823B01A82B881B22DF5EE112D60E683E8255B79D2AD3839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.702{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:40.698{B81B27B7-8174-613A-9096-03000000C801}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035126709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.393{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61929-false169.254.169.254-80http
354300x800000000000000035126708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.264{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61928-false169.254.169.254-80http
354300x800000000000000035126707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.225{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61927-false169.254.169.254-80http
354300x800000000000000035126706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.224{B81B27B7-4014-611D-3600-00000000C801}3260C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61926-false169.254.169.254-80http
10341000x800000000000000035126705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.864{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.850{B81B27B7-8175-613A-9296-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.849{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4C780D7F4658C81D4703C07557E03E,SHA256=7C563607CACDED4D2A1308EC42D66B7815B1123F0E1E1A2B174E08C405BBBB5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.702{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBCACE222272B2FD3ED52CB95AEC40E4,SHA256=CFC853EE59A0E65EA4E28D2E84CCF45B1AF572F019BFD3E18D76F4E02F2864D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.702{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F31FB035991133CAE758207BC1E9635,SHA256=4927C168BA8440DE18BF94616D8F19C5825502D0D44F75783AF57767D8DC7F8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.402{B81B27B7-8175-613A-9196-03000000C801}3004648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.265{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:41.251{B81B27B7-8175-613A-9196-03000000C801}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035126713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:07.408{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61931-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:07.370{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61930-false10.0.1.12-8000-
23542300x800000000000000035126711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:42.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B74245327C64B22477EFF7EA6A05811,SHA256=B084815985A71BA72BE789484DA08FE1FFA9B581F0E37FDB9E9FBBEB778C2DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:42.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C23050FDE72503A415DB9DF512BAA4DF,SHA256=FD6225DFDFA16FE0F6BB41A51D809EDC27ADCB4C0065EE661C8D5B120F5816DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:43.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104A53692B8CB918819E2DA186177B85,SHA256=39C8C32C6395E31D089DCD275EBAB237839DD7BAC323DD1FFB3BAD17776CF9D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:43.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBCACE222272B2FD3ED52CB95AEC40E4,SHA256=CFC853EE59A0E65EA4E28D2E84CCF45B1AF572F019BFD3E18D76F4E02F2864D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:44.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0995E11AA2B60D7E94CB9451AF13A28F,SHA256=FF0F8D1925DA509888DA1904E0E5B59351D3E7A42CE434BEC9E52B20115BA096,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:45.913{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D8D567DB7B75760C4FB91B88A831B5,SHA256=36455617444F98342790A6C00C2E4C610A9875EC90C4ABA04745FE031540FAC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:46.943{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2615F6A795ED3D2B96E0BC9610F19914,SHA256=BB2104F91C28A9E0B9F1B9F756FAC02BB273F0D89E8BD5B904826810DB5771B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:47.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB21565849BB06326F16E79DED743F50,SHA256=F0F406FD52FC4B0516946CE1EABB17423F61521ABA3BF19FC02F515CDE2F8DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:47.293{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F301A04F5CE1C1EE321F3E89F8592D20,SHA256=E2A508B98EF88A79666C511D83340806E276CECA6BF825E17F1AD09C543BDBE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:12.420{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61932-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:13.403{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61933-false10.0.1.12-8000-
23542300x800000000000000035126722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:49.041{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B00FDC88F3D8231299D12CFC8CA56,SHA256=6AFF73A7EF27B8A139D46770AA132D24689F36CFA5D65293096C0D0B0A054D91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:50.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31FABAEBAA4B8E11F0EC24F3F9CED35,SHA256=543C359E526F0C968CD724D271ADC160266A6B18D1A82B3634A42A20739CAEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:51.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E7E6E82A0EFC0C0AA78F1274B778C5,SHA256=2706865B335B562D2FB33F908EE5E8D49359A5CC74718C95A16097B654EB031B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:52.122{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05B93E8E0981D96237B0D9BC2110879,SHA256=2AEC0428AE054223EE8A11591AE1243B43C2A562B3566AB2F9DCCBC0CB6DD93B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:18.429{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61934-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:53.267{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B60C5811E1D7E683C23A01CC4799537,SHA256=E7D24270FC2058A40CBD1A2242B499384E21A114ECEA8A568B6B042C9930BC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:53.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E0D5F67530AAB437F82369E7E51F2E,SHA256=13F71BF98B5485807706F27E89A43816E7196556E42A8251D4C86692A7DA5A58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:54.151{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4960CCDC7E1FCFE771C002FEF80CBBE4,SHA256=509CBB74BC469DA3C75A8ECF52AE0DBB1C0E4FCDF35B7D5E8085EE2903F4CDEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:19.296{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61935-false10.0.1.12-8000-
23542300x800000000000000035126731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:55.151{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F4147D53D7D9A500406255F21D65C4,SHA256=0A781657C15F46604AB471AA51F25FFE88F334D1C10FE3C5901A9CD426F45299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:56.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4BB971900E28EC6644B3FEA6380CD3,SHA256=07A6AAC092B42AE37420F28687741C18C74A35A019104379E26AF5FE72BAB6F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:57.482{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B91BD3B21C77F00DBD8CF9067AD14980,SHA256=D2EC1B30E7844011F64C028A33598A82713396BE63E646ED162A3A6E0E7D84D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:22.441{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61936-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:57.182{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E371C175E048D0A44EA0F55258F8E82F,SHA256=F64507E590FBBAAF12CCC00AAFE9CEFE069D5B502E431AB1B8C41FCE30E3CF23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:58.200{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98B83BDB13570390FD87276CAAA6E1,SHA256=6F3917D8E0FAE28207BDE98A416C307DD2B859967C384D5BDA60883D8F20BEEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.900{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4599BED0AF2E6F75FA47EF9266574061,SHA256=3EBF54C31EDBB489FEA618F9C816FF3B64079A54A3A38219B4B50B153ADAC8CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:49:59.101{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x800000000000000035126770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:25.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61937-false10.0.1.12-8000-
23542300x800000000000000035126769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:00.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEECDA474D6C910936288C99012DE2B,SHA256=44F40BC5AD62D53565C841E7B4FB1D526CEB71F8365387359EAD849FAB894E0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:01.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8617E0598408635B4485531E6E511C8F,SHA256=57EC9BC328570CBBBC5C0859B6F5C6106344677B047123E9DCE06EA75D714935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:01.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF97FD82A5DD0C5952BAEAA074B58CE,SHA256=6437EFAAF5F9B30E96FBBE9E518BD1C3DD012F6D8FDBD2612B23B3341C12A0EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.460{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61939-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.054{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61938-false10.0.1.12-8089-
23542300x800000000000000035126773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:02.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B19D95360CDEC9D4E7DB3F21288CC9,SHA256=F550452635775E1EDE384955F1AE5D56A308A9F76EF72940570BFA8ADE527B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:03.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3343AB27D6145D6492B73D2A8FCE73D,SHA256=733BA73C936112EB2316EB14935B53D0C0B7E4C959A43AB06D8C316C33ADB6B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:04.337{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E8431D058AA922A040FA2232F99495,SHA256=B7A430E4DAB914C599038327E0390604B7BC4082F1815A818B11BBEFE0D35E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:05.352{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159BCD17B09B08C18FE3EA544B5DE0BB,SHA256=B7568DAC0DBF765EC7DD006B503A3E0AD24886AF904315D598A3C4A5CA90C3A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:31.460{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61941-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:31.243{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61940-false10.0.1.12-8000-
23542300x800000000000000035126780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47295D8895DF8731669301EE43D243F,SHA256=12E6AC4B603E297EA9BBFBA75E6048B579327F10B0EC600442386D157C845DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:06.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17225BA29D0B646CFCA340FADE93FF20,SHA256=1FB66540022C8503E1FB63BBC922A9062B4A0500C71D6AF5D886B4630FF6AE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:07.404{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648C0B882D31C1302E57BA969C4A33C4,SHA256=47CBA25BF91610B07FE20A8617A42364112FBEDDE6871A7F77CBD7353BCFF3FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:08.418{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237B921F141EF0968AACA54A70634C98,SHA256=CC0D1101DA4E330FCF1C50FBE84FA3B4368D365237B22D4334907603C0C8CFD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:09.434{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5913C1ED6D7ECAC56D619C65F0679097,SHA256=B8FE28B7B7218655B18852A505F35C113191F2ACE2FB379B79F9456840D6FF37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
13241300x800000000000000035126805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008)
13241300x800000000000000035126804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x724852f5)
13241300x800000000000000035126803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bc-0x474a1475)
13241300x800000000000000035126802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c4-0xa90e7c75)
13241300x800000000000000035126801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5cd-0x0ad2e475)
13241300x800000000000000035126800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008)
13241300x800000000000000035126799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x724852f5)
13241300x800000000000000035126798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a5bc-0x474a1475)
13241300x800000000000000035126797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5c4-0xa90e7c75)
13241300x800000000000000035126796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 21:50:10.564{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5cd-0x0ad2e475)
10341000x800000000000000035126795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.533{B81B27B7-8192-613A-9396-03000000C801}12244276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035126794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77D00763B1508A467ED1B63004E0AD3,SHA256=198298000031E1C901AC3C12A9EE6875480D6D223AF0B1F366725FDFAD7E345A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.364{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:10.349{B81B27B7-8192-613A-9396-03000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5DC83EC96C48BA8219248850522777,SHA256=A67A54146DDD3E99F4C627AE2A57500F2F7C79D667D228CC51B6A75F22AA84FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C4C5326796556BC3862729F710440C,SHA256=44194375A660157B12641CB40A24A6B0E61C469BAD402A2E0D3FD2F781A1CE97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC2D95017BF52FF116DE75A72FCC8BAB,SHA256=690E4A650251CCAA925F8BF3D664A1F6904563BD14C466CE093AED75BF83C5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64EE6FA7B128F373544B15C8EC0DE6DD,SHA256=23F74A309E7C478A18E77BFC30F61D09285DE35CB0DFBD138954D3BDE9A784CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.063{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:11.048{B81B27B7-8193-613A-9496-03000000C801}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035126820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:37.239{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61943-false10.0.1.12-8000-
23542300x800000000000000035126819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:12.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAC86F64580190C0839CC8455C96D97,SHA256=E7400D2191BC362865DF056FA2DB8724D7307515F782AFCC2BFDF09D5259D9D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:36.478{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61942-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:13.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3183FD2D4CD8AB005687F8F7F2F83B57,SHA256=8989395B80FE49ED2EDFEFC3DD52D81BF55A2C67F0F4357E77A68315A8D11EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:14.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8B630F80A05958C93125E35EE26B37,SHA256=9BF7DBCD467D54EBA39B577A2663B0F6B2BABD7FE6842C5664DF830ECA13E415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:15.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C20C9E889DC997571966E9472C2FC0,SHA256=3368A0225643BD2FAF908BED144E234185C1C4E61304D29FF489A8A01F0502A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.488{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61944-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:16.576{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0567BBCA33C710C1180C5D7E2F2207,SHA256=763DCCFC5748E6270C7DB4E84C7B44FDE37FBB9FD55807F0AB6FCE7B51C81778,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:16.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=921C4035E7A44CF63E1B1652A1482242,SHA256=2433F5223BBB149FB69DD8706241E661325F8C3D81912B852F637FDD810B787C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:42.434{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61945-false10.0.1.12-8000-
23542300x800000000000000035126827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:17.595{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4E7DD6C7D0371AEBD4F6E79F35CDF2,SHA256=D1DD938BADCA9D8A29748CAD8FCB0E718F978B072C838F49B965CB46A713797E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:18.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEA32683133DA158B463996E4D6D0F5,SHA256=CC117E2F48E6193E7144212664796F9F25513D99BF278776A1C9DC7A3A1638C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:19.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27764D9F633D222DAFBB7CA7F0C33E15,SHA256=1FDABF6C56E02475C2575BD74D92BC7D1ECEC13407A982D8951446C11CB195BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:20.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEB1D94BB1E2E31215B4B0E54E352DF,SHA256=37FC836B3329265A70E10A761874C61AC8BDCDA5FA5D0E41E612801C95C15372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:20.439{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=874C060F5211DA30182E51184534366A,SHA256=F9A416370C3A1755B672CC35B2C47B2658AB616315CB1FF79F16BF1407334459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:21.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF85FA24E5FBD7CF982537F458670557,SHA256=E875502F2EB50740E4041BC0A41BD07A8F4A309CF1E878E5409342091B5B783D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:45.500{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61946-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:22.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F7AB952E2B7CB57740C53F827E386,SHA256=06B100A792968223DEBE7E5C6387147C97ABDF91582C933B6622296A1554C969,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:23.795{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978435A570FEACE2F8A65B1A1A8B13B4,SHA256=4093A8ECE7FD4127011B3007669CAD3D6E6D1CBE492C888C430615E1A855E8C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:48.215{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61947-false10.0.1.12-8000-
23542300x800000000000000035126838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:24.812{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B240140887313A22A3DF59E8697DA9,SHA256=E2404ACE38826BD27E55B1DEAD99C4182D36BF0A4443447408E185C300805E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:25.813{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F54C2414FA8E1F64A61EDB9A7E70AE,SHA256=DFE85F212B7E461387615BA1AF981E13B561F25FE6F0F74F413D311F064009A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.980{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.975{B81B27B7-81A2-613A-9596-03000000C801}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A638DD2FB47E464B2A0D1361B290C31,SHA256=4FC3712EBDBC7A5338C452D9611459EF5232D5F7043F685842B47485404869D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:26.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E198D86F93085D023C71555FB7EC36F,SHA256=E4DF74E2B6C81A59B1C44593DF675E8652C17AB80DDB4E3662228DBD4C2CF020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.858{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16A1407A55BD83E2CEC6CEA9446310E,SHA256=FE0AFD745C3AD4A6B94B764FE0DA7FD94DE2A080285C20BE23AD5593C6A26C52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.826{B81B27B7-81A3-613A-9696-03000000C801}66124300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.658{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:27.643{B81B27B7-81A3-613A-9696-03000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035126850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:51.504{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61948-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:28.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C48DC0AF0F0765C3CC084786E1605F7,SHA256=CC0D25E90313604DE60C4C36984AADE730E924B24F930D5069421C0659712D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:28.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1524CA25A49CA1117F2C2665DA9E65F,SHA256=43F7B1888B8F6E49DCD4E7A57E5CB74D62A8FA0C0413B3D816ED3A3F2D6262CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:28.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C4C5326796556BC3862729F710440C,SHA256=44194375A660157B12641CB40A24A6B0E61C469BAD402A2E0D3FD2F781A1CE97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:29.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3AB76AB743FC500CF4B584FE7E91A3,SHA256=0EBFD88AC5C745D99CFFDB2D5BFC5037FA8F2847A82C507C400190BB0FE3FF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:53.349{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61949-false10.0.1.12-8000-
23542300x800000000000000035126868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:30.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5142CD4D2683CEBE402527C28C83CDF4,SHA256=169798E34A66A8E4D6478E4391B679BFB3BA0351F697306200BE9A1DA0A3F7F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:55.517{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61950-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:30.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D486ABAED7872E5CDB695F2807F3B439,SHA256=94AA46BA35A454C75E2B2AE171416E49C4293F6C15F82374005E6559B2E007EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:31.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8DCEA8073D6EB9184BDC70CD46C5F3,SHA256=DC446E2D97264F0BBFFD4CD4F71A4C7193F0E823D34365DC202B8BBB09AD406C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:32.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE898BF4128C846D7ED145D96539DA2,SHA256=EAEBB80CDC848459C8246DA143DDDFCC49B2CEF51B1733CF724B0919DC48AE4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:33.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C43E4CFF3C3EBD4AB2A2340D2612208,SHA256=3F78DC8B43809E7DE9CFFEAB036557F030BD8EE5ADE8A19EDDAB7DF6B2F4D92B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:34.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E18F19F1469730BF0EAB2B7C443244,SHA256=6D9A07A18446602532C07F8C7EC59B50035F5D457C55C4590A06DEE3B39D2F51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:35.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E79E361E1EE1C524490AF5E18E3C7B5,SHA256=28810B9ECE52AF7E4ADF1744484D31AD035AC47A795C884C8593912B253DDCC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.312{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61951-false10.0.1.12-8000-
354300x800000000000000035126876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:01.526{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61952-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:36.470{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F540668EF57115C537226C3327ECFA89,SHA256=FAB5A961383319412A7F2FD09B331726073FE4751B88145A14CB903A80B3B962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:37.948{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=484B669FAA3C167FD21696ACD17AE4A2,SHA256=493F3DBA617F62E6D272DFBF95A2933968B3A29A2E613696A76F68E4E6941847,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:37.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F97DA535FBABBA181CE2D19BA93C001,SHA256=3D120A2B917F5407CF9C6A0CC75A087DB5ABA93F8076B1044CC8F5BEAA7FABD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:38.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006F1F5EC2BA84B41E40984A9EA802B1,SHA256=903952BEBC3A84F4BA5F13B961E5886F1B73CFFEA84824522784E1E14F966381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:39.031{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C9BCBD67CF1304A8D939D1FED56152,SHA256=78CBEBBDC10C16F4676ACF0544B68518C551F32692B52C096712DDEF22889B28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.848{B81B27B7-81B0-613A-9796-03000000C801}41766700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x800000000000000035126892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.538{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61954-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.238{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61953-false10.0.1.12-8000-
10341000x800000000000000035126890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.701{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.687{B81B27B7-81B0-613A-9796-03000000C801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AC4C8CA40AB298D279CBDB335B4C5AC,SHA256=8C61FC8F558A2384201E6AD89D3B4FA4D9B592F990E7B4C97BABB2D07AB0763A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:40.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8732A7A90ABAC07D2EE4C405406DAFF2,SHA256=5614559FA227DF591FCE891278FE9E99D9A482386B822245764A4D951A6F0F62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.916{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.901{B81B27B7-81B1-613A-9996-03000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EB05E5ECB3AE2DB19B719093FDCD00,SHA256=3AE2A57AD64E0DA580DF69D6F527359229C6F30CCFEAE3154D7143BA3853767C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1524CA25A49CA1117F2C2665DA9E65F,SHA256=43F7B1888B8F6E49DCD4E7A57E5CB74D62A8FA0C0413B3D816ED3A3F2D6262CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.469{B81B27B7-81B1-613A-9896-03000000C801}45161328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.300{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.286{B81B27B7-81B1-613A-9896-03000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:41.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAB3AC46359D9ADC4A762919BF905C6,SHA256=F4002505FC9BEBD6D4A6E40D81937B7DD34A6CEA458E53FA705E44147C864F27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:42.100{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7508816F93754532FBC627279FADD6AE,SHA256=3D3FC78A1837C3634D7D367F3FFD981BA04B4917ECE8C7388DA5BB282E3E5EBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:43.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880651D2C585BDA2076F70560312EFE1,SHA256=36FEA515F2E6499905F6A7CD6866D861E865F042DAF869EF4768B8EC2A1AC353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:43.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EB05E5ECB3AE2DB19B719093FDCD00,SHA256=3AE2A57AD64E0DA580DF69D6F527359229C6F30CCFEAE3154D7143BA3853767C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:44.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187C12FEAD01805FC7B46667B48DE918,SHA256=F6AABF0AE09E8AEACC73728B34262D266F94874EA4E54E549A76A683F5A7007D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.321{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61955-false10.0.1.12-8000-
23542300x800000000000000035126918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:45.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DA74995C56352D8F21E39659FC920A,SHA256=87E33ADF8B3E41B776DC1BE67FE3DDBDD30B48FF0D911170ADC572CAB3B2DFAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.565{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61956-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:46.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D40C570D96A247C74331A5946EF25082,SHA256=C33807AF136B1B1179D5864DA2C1D93C372E7926618E5FD5ACE562436054FEA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:46.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F33C4570063380774589389BC03022,SHA256=09E8425D63F144FEC31E09809103261DB7B475F8A12E3206CDC77AFD1864247C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:47.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF50305E29CA08131987F28D2D601E31,SHA256=1042D46065E68C9603F22EC65C0E5F640F9EB3A7AF349CE33BDCC28A08F5E866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:48.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDC25D645AE5ED1831DD3E82A0EEBED,SHA256=460F2F424C3F64DF7CF64591DD4658540F76788EBB075978F1B960BE5891D137,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:49.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EADC4A5BE0F22E9895E22C239EADB30,SHA256=2551347A33967867F15194ACF52038A14C8C2D7FC0FBDCB2BD638037DDEE03C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:50.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3EAB62B445DB6860C6F3A0EACCA64F4,SHA256=AAB015463F7802BDCF93978A998390EE3436A4FC5A2B0E5F879F9F395823DA6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:50.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874FE6171D89741039E567428054EDFE,SHA256=9DE979D9300CEDA9CBBE166438AB01C53731C98C30B346FEB1237CF125BE25DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:51.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A155EB14DDA3180A6893248812C663,SHA256=503075EBBDC0B87568C79A83412E84D2B64C548067E09221D422DEAAED41B83D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:15.585{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61958-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035126928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:15.431{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61957-false10.0.1.12-8000-
23542300x800000000000000035126931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:52.273{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51C71EEEBBE3EBA8C9D0947C47D6B6A,SHA256=6ABD3D2A41B819942643FEBA193B961C9FA8CC27B807C698F04A7866E23702FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:53.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A73AEF14AD8FD6DD2F316F2EA150546,SHA256=AF46046C07365BF74428B94BC2A603239F5E1A0B1D88C7F527243B737456765D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:54.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C604DB08142553E48383CB264649F7A0,SHA256=7F34D878DDB04B8B767C992570DE556ACECBE2168E8949B0FBC019724A5FFDE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:55.434{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4521953471975126FCAC2EB91B2B1FA,SHA256=24E3E3D3C00A04CD6DB8D9DF2004EBC19B5117341ED1060BF11EA2AAB74CF487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:55.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ADC5547BB979D0C152F5B0BB001B84,SHA256=C3573E6B00364A804DBABBD01909FAE740BF11118D8FCA3AF92AD41D13328BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:56.406{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB71B75C112320F4F1393211BC381E0,SHA256=CA905596E5E539D25A68FC32316ACB87761672EBB62A94E56801FD102F24255F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:20.595{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61959-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:57.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47284F7CFFB774F85162A97D37E978C5,SHA256=5D0331F10D493DC1A887E562CA982BD3CEB579FCE71DBEC2758871B074B8D3E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:21.325{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61960-false10.0.1.12-8000-
23542300x800000000000000035126940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:58.473{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B552203671F718C988CCEC1EB62DDC4C,SHA256=DE603926BE44B9E6187CB5C50F612658C4B72AD2220DC8DC55BB9B5C371E19FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.920{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6351947EBD343390A6BE33AA59FAEF5,SHA256=7AA62DC1D714B6BD75F615057DFB1781EF937147BE5E90703D32EE12ED6B4D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:50:59.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0FFBD4494B859BCA350C91B393195FCE,SHA256=E4F129669F8BC99F0C55A0B158300E53FC959FD030FE68A83305EFA9AACF218D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:00.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F42CD1B9D408427904D0378C1FC48F2,SHA256=6C1B0B993D4C67EB576B00DD2B92FDB95F00C5B7FBA7866074BC2DCE3C910B82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:24.597{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61961-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:01.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B0517BC538153EBF56AAD014487E0F,SHA256=F875D8763B456EA685EF06E3F848F87078DC1B90CD6DE108761816933BB145AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:02.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F8A7A78BC40242572CE4773F4A984E,SHA256=E4EE56D85E5034CAF9D9A1A492DD47D75B55F1A2C314B1C787FD6CF1296B5A9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.230{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61963-false10.0.1.12-8000-
354300x800000000000000035126947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.081{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61962-false10.0.1.12-8089-
23542300x800000000000000035126950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:03.617{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A785B47C2A040AE85DD7AF583151892C,SHA256=DF73A7BFDED011A15960C5BF7EC5D77F132B46060B25295956E1E632A46A1D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:04.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77794C6209242490D9418A347835B116,SHA256=15F389EB01A9B68042B9A6C965F616F6A10A28957C36A91919E17038C5C250F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.668{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5E3C5E616F0A6A6580B4CCC005E325,SHA256=1FADFC48F873F23CE24120D0B8DEF4370890226EE66D1A631CAA01C09C61DC0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:05.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=143F637ED2AEC0E4A075BFB5E7726548,SHA256=8C18CEB1E333DAE183059A328D9E56DBE8290FCF7933C69C252E2B6B7791D42E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:06.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22E296005F75435E0F7ED1FFEE4CADA,SHA256=E46CDE1DA8C920A1DD050C242B1DCA302E482F3DCDE696867702110BB739BB8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:30.608{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61964-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:07.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F31355164ECF20AE9C7ED3123CAB6B,SHA256=28409B40579320D743DB07BC807B13B30C338CA96223DE538C3FA0DB8ECAD3D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:08.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BB7AABE9AF87AB82594CDDE7B0A20F,SHA256=2A2737F648760D23F2C801D1B274ACEF853A676D67850FF05A2580A3C4B18964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:32.260{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61965-false10.0.1.12-8000-
23542300x800000000000000035126959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:09.780{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FAE1B6E9011A7BAF513E057DF0E357,SHA256=FEA6D6D1CAF1DC1E63F7AC2ACF60B8795D85288660C61F94A5D48BDE22E55918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.948{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.944{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.944{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.944{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.943{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.943{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.943{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.928{B81B27B7-81CE-613A-9B96-03000000C801}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAC53AE345F703A5C2FDC64B965D21E,SHA256=59AD20D31A044031C9E45D37922A3F15CFB0B44861202E0E82842A78E9597688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.511{B81B27B7-81CE-613A-9A96-03000000C801}49485244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035126968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C6D41E86623FCB5C06A90763657768E,SHA256=199D1EB705CC0427A811A8B11C79EFA9DFF8275554704D54257EE8BB342E04D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035126967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035126962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035126961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.348{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035126960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:10.344{B81B27B7-81CE-613A-9A96-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035126982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.848{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0B1F182FDA1D32179314FE3D44DECD,SHA256=2CE2E07E6319EDE979FDE9244EFE6109A639706C2AFBB92F03C00704602922B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:35.620{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61966-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF269E6E9BF4AD29856E82F4F0F9C767,SHA256=1BDDACA5A4C1F0E2475F24FDDA6E7384E89F2BDFB4094E12AC054992883D5D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:11.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1B797D07423B00FDF5070834575C17,SHA256=D5D551E25B2569E48BC9211B1A73CA2FE01C1976228313CAACD187CAA1DD9D48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:12.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1AC5E6DB6BA9DB3ADA8150D34BDE43,SHA256=2185C52C1B063425F143145074344CA977E7C61B49A01804F98CEC9C027C180A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:37.418{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61967-false10.0.1.12-8000-
23542300x800000000000000035126985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:13.909{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B04EC095F8337B8E3E0BA860F9E6F8,SHA256=E5F8463A8D3F774E0493AA656F72AB605F5EC9AA0BF3E0E3C12596BD4021996E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:39.640{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61968-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:14.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6661FD84C472A900BA7FF5BE50FB4248,SHA256=E0139091756044816B8F37F84F3D5667057D21B8A4632D2FE3F601E9F74EFAAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:14.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=51D41CF67E505D0B5AA6243338440F60,SHA256=462CF89747B1586F01431CCC06843749DD9A7CEE2538A28D64110757559EA978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:15.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70977531C877B7E381DC1548F9A59D0,SHA256=B1C2ADC4639C4D6AF2E2A72A221340EC7CAF5BB82267B53260A77F9D71C116C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:17.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBF6F7EA35C6EB4B8A2FBBC611D87C3,SHA256=9ECC08D9D75224CE5735ED83081FF0440C1DF27A8C6F3434842C417CD0064BCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:18.010{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE3D296BB31163AF3AFF186E8BFA77A,SHA256=EC474C30D6D90D4D7B0D4BF87D6EB3C098A0E461E46AC427580AA8288DD108C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:19.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE87A2EE7246A9B220DE657087AA6162,SHA256=E8546CD309CB596A15DB22CDFECC84DB84BAA58352903F45428D31190AFD310B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:20.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=226BB5DD6B7D07F28DC575B0443871A0,SHA256=124B83163360F8D9E7CDAB19C8990DB804FD226957780ADDD6080C7CDCBF94FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:43.418{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61969-false10.0.1.12-8000-
23542300x800000000000000035126993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:20.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB69F78559EA710C05A414E9E50BEEB,SHA256=8F47A2D33275ED0707676A55CB6D2FEFE51EF07AA08F1231E83072D425C41CE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035126997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:45.640{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61970-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035126996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:21.077{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49177B8A4CCA3706FB93B90C2C8FA94,SHA256=90D635365B5BC3A8693FD04324F1E96D10131A1D55A7D70835DD658CAD0BA163,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:22.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B5276631CA3B6EE80E0FEF4606AB48,SHA256=D9CA267FE997AB729BC603CC964E697B2E1EB0F0273B7462A7CAE4F9ED1043DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035126999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:23.110{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B37265E1EDBA5631318D5CEFD397DD,SHA256=B3C7E447488ADD685F28C23CAF3BECD719BD36B7C858F5A976CB346F74C59D7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:24.126{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38978B1694D66F8F1F31DB466CC566F2,SHA256=D339E7550BF49F3F36B04211ABE7D26AF322168105144BE1C1FA640532AEFA30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:25.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3584611A5D3E40F1B42E71831E16D,SHA256=35E119C0876830AA943523BE48D8CF5643C376A13C0F0F0617183608BA46452E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:49.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61971-false10.0.1.12-8000-
10341000x800000000000000035127013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.965{B81B27B7-81DE-613A-9C96-03000000C801}65842156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.827{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.812{B81B27B7-81DE-613A-9C96-03000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.646{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=003939E03BA5971E34BB53E359FA36C7,SHA256=A3B430426C29A616A139CF51A6C3BA4373E1BDFDDE612F678F7D6169C66EDFDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:26.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF60ACF13A81EEAA70B1C78705978E0,SHA256=B755B60886DBEC53AC22AB6C5B62850614899F2CA539DEDDE75A4CAEF5F1DAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F9571A1FC044F599CED6A016E39DB6,SHA256=B68668A4132EEAE655581C3A9C25E1CA169E7B561444160152C639F8DB15EE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF269E6E9BF4AD29856E82F4F0F9C767,SHA256=1BDDACA5A4C1F0E2475F24FDDA6E7384E89F2BDFB4094E12AC054992883D5D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.427{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.413{B81B27B7-81DF-613A-9D96-03000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:27.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DAF7D885FD24CAB6F8C1D241063322,SHA256=9419830F1DEF5D4496769D3C5EBBED68A66EADF542830A87BD275CC14B9A4E90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:51.654{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61972-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:28.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB74EA637DE0E1819F6AF7FC1B57166,SHA256=68ECC7D7E65F3D3E924D99F733D70F1187738085041898AE3BC47A28704BC068,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:29.225{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDC269B59B3108906872E77D3909458,SHA256=2AD188C95449431B17C25C2E93CAF692858D3EDC0E84E8B861A480DFB3552A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:30.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=677A854EBA38D241602F8EC17B6CA4FC,SHA256=846C341CC0A04A2F4CA72B64EC014E8ECF214559F5FADFDA2DD6955B5B5C6031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:30.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B43603319E0868D887F04DBDE4F81D0,SHA256=3E0FC181C1B34106A5AC01B73C299CAB10BCB08D80F0ECF55D1257186C4EA01D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:54.322{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61973-false10.0.1.12-8000-
23542300x800000000000000035127032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:31.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C018FC10AE6660195768C7EC76F926D,SHA256=CCB29CF457193DC098D1BEF98177FDD6D8643A4C7EC1AE44F2E6EE228EBC5131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:55.655{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61974-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:32.762{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF72499410.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:32.278{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BFA9301FBDCF68D25EC388B1AF4042,SHA256=BD85CB29B337D8C2EA67715923C9CB58C9ED4A207F1652A12E6481A401D64E68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:33.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C670A965627811DCB240FD7E4D417B9C,SHA256=C3CB5BEC38A6530096F51895E582151076FCAD1A7C057EB5FCE0F475E933040E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:34.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F3C9B9CC140BBEA1894FE9D999659C0,SHA256=6C7417992C4A26F0FBB9B2D5D2941655DE2CA08AB7C6B3941D417F152D107ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:34.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D403B96932E942728D53C1A5D5C8021,SHA256=C01E62955FCF0834DEC875D6659EF091B352C0FE3043AE3407B2E85D44F9850E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:35.378{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C018BFD1C60B7F73BEF53421CD7913DF,SHA256=4E5D72EC544BE6F1051772FD6B9C4197716BD7B0B9A9B10BB3765CB97B2CC602,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:59.669{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61975-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:36.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ED3FC9C77502559A1CCA3552D2B7CF,SHA256=26A7E1483A198846AE26AF8B94859F00712E0BB251A17A4A0011FA04D62E2BBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.253{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61976-false10.0.1.12-8000-
23542300x800000000000000035127043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:37.961{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C613B413CD07316ED37F0CFA3F0BA6E2,SHA256=E1A1303D52C038E3A67D9D48EEF2706EBD9B093C4D562E798E74909B4C9FEBE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:37.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A50B004D919E9A0A36DAEAE35B80DC6,SHA256=62490504415D83E8B3BAC8FEECE24AB4B4B2CC04E224EA246C9C5929D242CA4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:38.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED210302AB26AF0CD4AB91C4441F75,SHA256=E7B4743D066E80CCF66E7F0A9449E2A6D2926412157B898815B908B2FA031EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:39.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=193B382D1751E7DDDF4D503CCC7A57CD,SHA256=6396E338BB1BA3BE615FE29CDA3341B4EC4205DF0E77DE3DD0C6298B64110F79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:39.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD7697D8D3CF97F0115E68696C574E4,SHA256=33C15F3442DD8EAB3AA28798ECCA689C279AAB801F109EADD5BA82285DC41AEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.861{B81B27B7-81EC-613A-9E96-03000000C801}20561032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.708{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.693{B81B27B7-81EC-613A-9E96-03000000C801}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035127049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:05.317{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61978-false10.0.1.12-8000-
354300x800000000000000035127048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:04.738{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61977-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:40.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FE9E05311DE288B349244960E581BB,SHA256=109301A550A010DBB3A2D938D3794F9BCB1AED3F0DDBAA177039834459D47063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C049035D4EECB8EC1F447EBC71FBEDD6,SHA256=19481E975BFAAB9CC03CA316C1EA361CD5C2DAC3775A60C33ABC026FF509F205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.842{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F9571A1FC044F599CED6A016E39DB6,SHA256=B68668A4132EEAE655581C3A9C25E1CA169E7B561444160152C639F8DB15EE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.543{B81B27B7-81ED-613A-9F96-03000000C801}70964468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035127067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509B81E64F4762EFDC4325C0AB5C3B5E,SHA256=14C6015DEDB9CDE761871E45EF0193742F306E3E8BD51E3382F0D1E8692B4A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.392{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:41.378{B81B27B7-81ED-613A-9F96-03000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.494{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176102B513C6B9216597A62B24820EC7,SHA256=C8B53130A190043A2968F3CE0F4E2243B0AE53F565AFEB717A201A8A90522280,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.076{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:42.061{B81B27B7-81EE-613A-A096-03000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:43.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFB0C04CBF84C289844EECAC44E306,SHA256=A68519E75C5B558DCF3B12B4EF84A7C06E488C0A56C7AD034BC7289571C2240A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:43.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C049035D4EECB8EC1F447EBC71FBEDD6,SHA256=19481E975BFAAB9CC03CA316C1EA361CD5C2DAC3775A60C33ABC026FF509F205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:44.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B3602EF7D106DF64D74ACAE74666E42A,SHA256=C0F2953EC93B5ED3E711014F800D58EC2019F1D3794DBF7821F8D7A31D83509E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:44.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2105F38DF3E3622A9F2819C05954EF8,SHA256=C041F13173103B5B2DC25E22035A00AFAD927F34910C6764270DE4D2B9D2AF17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:09.739{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61979-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:45.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495613F5C0BCAE672047E5A4AF326FFA,SHA256=9D91A74648C3B4FD4139929601219FF1913A7E4E3290D7AB8F53BD3A8DAA54A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.400{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61980-false10.0.1.12-8000-
23542300x800000000000000035127086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:46.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4403D6102F62E45C3A6518A069CD56DA,SHA256=9BAD86B204637C606F8EE17DC34D7DC0B4FFDE72B02269C9FD924D81327068A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:47.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124DCE9F8648A47B5F063B84BF3DD8CC,SHA256=73A2EACFB252EAF3D785420F78E8E77972E64B8E840F5BA67C7C0597AC2EBEB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:48.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A350BAEA54788331336AC5AC3666380B,SHA256=EE3CFA9C01A3C991123A17F9A2B7371CDACA9DED3722DB5E0FE9BD9830F320F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:48.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1717CCAED019825EFA7BD11742A11CB1,SHA256=519697AFE303F54BDF9876C476B503FA49D39421F065485B3A0336EB769A7D3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:14.749{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61981-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:49.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA24C9695CA80CB01EF055C4A874414B,SHA256=ACC7995F9A1F67041094E0EFCB32EA78544933FF06AB6AD2F0AAC84066202116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:50.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8C0AC8604EAAABAE6B4BE275FE9553,SHA256=3277C420F62046292786EB7B0EEE08BFB7C5983A2575259C20EF9063F05362D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:16.410{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61982-false10.0.1.12-8000-
23542300x800000000000000035127094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:51.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1200BFE84333C282025C1F7CA6334A4C,SHA256=6DA56A583624707D3ACB619F156BC31E77823AAF62B6B2CED23EE882353BC1FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:52.899{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EF9B4A2BF7C2B0B0DF9F5AEA43267,SHA256=166D5D5EEBEBA43E798E1943353F7A95D28615B4083A3F7676B8FFC4B4FCEFB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:53.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8739A0ECFBAA533F94B6830C881E8A58,SHA256=8DF57B55E210F82AD91A49315059ADC10B5052BD322AFDFCD65D246EF799934E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:53.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2B5305B9F17325A8FC22EFBAE53F7DF,SHA256=2D7CC8F4938DB0DDD2158C0BCA76E39671A9D93214FC93CC1C743686055FCF34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:54.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F248E26C38F67156E0E9FB1706000904,SHA256=08BB4E024ECB42230C8C32A57CBEC0B757220001E505BDA480C366DD73AC4D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:55.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E466979C467D4299BA6C2C2D0E66B329,SHA256=0C816FC62DCFD933E64E27F1FBC59407EDF5FAB82AA1C946EF100DB4E0D28A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:18.761{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61983-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:56.979{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2C9122F55FA842F8DD57D1ED662F46,SHA256=C7D7E06593C55CCE0FD9E9623F9191F83CA1C2175B9E0732A6EF310C3E6A08CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.993{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D23425CA761F3DC4E9BC9A9DC15D9EA,SHA256=A74AFB50FFCC5929903B6DE134C0D0BA55B9A73B7FC45AEFEBD252687C552A0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:22.772{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61985-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
354300x800000000000000035127106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:22.225{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61984-false10.0.1.12-8000-
23542300x800000000000000035127105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.828{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C49D80CB51A5EEC8427DFA580C0338CB,SHA256=4BA698D517C2CB71DB798AAFCC0C821FAB4A1E381A4E922AD001D0602846FAA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.063{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:57.063{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:58.908{B81B27B7-4012-611D-0D00-00000000C801}7924628C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035127111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:59.944{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:51:59.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8A28A77F14435FEA3FAF86DF2BD76,SHA256=7F57FB4D767F5730A47E29FF0A46D5262CE4D3CC7BDF37B8F5EC983E08DD5925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.106{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035127112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:00.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4DA0E845CE99A93C99D84C67B76172,SHA256=4EB4C00A944CDD22F5E4D1B1779AECF7B8D99F1AD0B3AF44153FFBEA41781D7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:01.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87EA2AEBE1E9278E018840A77CD2216C,SHA256=3A140AFE5496DDF7CE1F2A24986E7DB1D2A84FF17D6D92F7D5A20FB707C50AD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:01.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42B43639228449A3942CEC344453647,SHA256=DB62AEC02DA41C33D61AAFCF49D742C738335DA4752E351BA5B6A7237F57E749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:02.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F753BBF63C61C4EA784524EE7277417B,SHA256=180DAA5A755F651D555A441E12045E1F7EB742E3852466E84B155FDA0508CB5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.099{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61986-false10.0.1.12-8089-
23542300x800000000000000035127148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:03.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9E18638D39B81991BA9AC1FC2D2E95,SHA256=E4CB98EF18EA3CCE9B0729A09999716B032D5297E1328C750E37A8A2431D6496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.320{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61988-false10.0.1.12-8000-
354300x800000000000000035127146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.783{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61987-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:04.473{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA445ABEC2B09FE08819D6B86791BD6F,SHA256=AAB117A8B60E3F9FA362EE13E3D7A071BD8BCD3466B332CB03DA6DDC93986B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:05.722{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15EFD385CFF957F3E6409EA5AD26A946,SHA256=5B89DE636244D54666920F1A417E0E9938FB8797F3F902764001D09F908FF99A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:05.488{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4348B575F3B284F5A96DD65E24DBC15,SHA256=52597E1BC98BF8466D6B49DF50108A8BEF55A345AF62EF0AFEC4F09CA3E7440A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:06.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF62823618F9985521DE85ADDD3EEE6,SHA256=DF9390DEA64ED7D591503BC57AF337E227139B5219DEAB4079AA2AFA2002F144,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:07.519{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6A190B049B5E9E88BB669BD7E1A9AA,SHA256=83E1F56BBBF0228CEEF921A5CEA6C4C0028522979D6F416210C78999B9827DDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:30.797{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61989-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:08.537{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37939148C11DE9F395758319138CBB2B,SHA256=0972435365892FCEC4C84EA310977394278BF0A59CD91DE2803E6E34E458FDE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:09.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6B885EFEFD296A4B107F53F2CD6D0BF,SHA256=8F9F21298292856FAC6F66651050943E15C3D6A93DB8D8D0F66DFD32E831044E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:09.568{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CCECD9E7FAFF125FF671EB5F50AF61,SHA256=A37453E6EB511F69802322DDE80D2EB93F48D9D91A56199090783A07CE5F18FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.247{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61990-false10.0.1.12-8000-
10341000x800000000000000035127177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.983{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.968{B81B27B7-820A-613A-A296-03000000C801}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.582{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68386105F8BD44BDE829288AB105F17,SHA256=92F3A19D8B29C9BEC19F9F9CC2A395123E5799EB4CEE9AA067A3DD1E33B5DB3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.536{B81B27B7-820A-613A-A196-03000000C801}68005552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.383{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:10.368{B81B27B7-820A-613A-A196-03000000C801}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000035127159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:34.815{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61991-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:11.583{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BED0526618015AE28A9718B4AFF4C36,SHA256=1C5D3FBAD0DABF00AC74ADD66F88C233596630CA779D80CB686E712789CC0882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:11.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC6DB7D5148CAB59D6BF9CCF736F9E0,SHA256=A73E8EFF92BC145E3C3A9ED9C791D0EC8499D51B981624DB4F15F00B3F349A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:11.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C3773DECBDC318ECC141512FF8EC61,SHA256=710AD07377353D0177B040539ADE857880930DAE6813AA3F45187B47F8D1F695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:12.597{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB604E063825C9C15CA12970ADD15AD,SHA256=F3EF45F3B28D667F17B431EE94F7D00B978E823E20438E1C4C918199525390D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:13.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECACB12887019F19A8A5FB3BC55168F,SHA256=9BA59CE812957A039A13B96FF7A9E80631EC1FE93FBC914A6283079A683A3703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:38.375{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61992-false10.0.1.12-8000-
23542300x800000000000000035127185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:14.797{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E40797378A1DD9EF217004DF60484AAB,SHA256=F96608258E5CD363EBCD9C7015C4FA86B192F5EC0F5D0CDFC6E61CD56E4A4F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:14.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E362489EC8C9752CF6D6BDA328CBA5,SHA256=D5446A4169F508DA1FF536077072ECB3DF03DC86736B84958DE3A7194CDE5D2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:15.659{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCEDB9DA7049A4A95DFF988A0292948,SHA256=4F7F86FCCA885D935F1D6DE26C91B496F2D4F59FA4406716132D32B34DAB6EB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:39.829{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61993-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:16.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8D00FA21675DAC298A20A7705D7D98,SHA256=FB1135E05458B96E6F1533E8E93636744677AA9F0B50AF8F63254DE46DE6A8D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:17.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37E21F7C69B0B19253274B9FC43A4EE,SHA256=E15CA83059D8837344C37F38AB20166BB6FFF73AE85BDC28A98D1DC039E37D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:18.712{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B7CF98AA7EF96DEC3236AF80262A8B,SHA256=ABAA5D0B327609D82F0F19A94F7E3FD589FE0AD73FF85A403F41149E99FCBB7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:43.426{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61994-false10.0.1.12-8000-
23542300x800000000000000035127192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:19.778{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD7FCC4D4C63BFDF262D6B3A5DD41BF,SHA256=225A339A9BDAB4D34740019C8D784345C717495B04B0575F175115ACB040A055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:20.792{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40B94FEEE255D7769BE3838FF38975B,SHA256=48D0C13CA203BD449A97A40BE636F71A2656D94BEAC7022A82B2305101B46B8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:20.692{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9FA96A1991586CA5CC33188123CA076D,SHA256=00035F4A47746B9877DD7312C838BCE921E81E8545341B4E5D02BABCB1BC3857,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:21.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7223EC88998976877BE9B31611E0C00C,SHA256=B0F8D7A532F194A0D9C9E1BE3F91DF11C6D6FC3A754D30D0CDA9976F97614D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:22.859{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53A305813077F28A1DABA4AA9D7AA60,SHA256=E5229482247DA8F93A3E285D1C3E2C7FA815BBEAAFDE4BB407A50C828C5AE565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:45.840{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61995-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
23542300x800000000000000035127198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:23.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49957FFBD397DBF4336FC20CF90CC505,SHA256=A4CA49458D566C87B3DED871908680BE580A9D827EDAAAEE8CCE076F58D648CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:24.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8CBEC5EACF0A713F58355CA68E5B33,SHA256=8DE7537E6A24492F1FC95C61B9D8F86521B5FE8C9498A3732820C09B55DB36F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:25.927{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC0418501F32871696FAA14F0CBE658,SHA256=7AB03472EDDC5ABDB2FA45C0C4E3EB2734794D084ED640B41251A1483AC2A29F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:49.305{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61996-false10.0.1.12-8000-
10341000x800000000000000035127212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.972{B81B27B7-821A-613A-A396-03000000C801}49484980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035127211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32FD74EB389AD3252A6E5FBEC72C4EF,SHA256=1CF4669EF8BF09ABA3FF003806543B97F25C403676F8CB75B0D3A0DEA206074A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
10341000x800000000000000035127210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.841{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.826{B81B27B7-821A-613A-A396-03000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:26.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3ECCE0871E11D76D6FC961D274E09A9,SHA256=4C5F6F2828F9FA97DF91C0805769EBFF36FF1211954BAEFF9DCFC87DBC5FF47B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426CD0D2929A03A4827BE4107B7621E2,SHA256=01E508C9646EEC890392FA5F5D2E11668BEDEFB3934E9C6EAF4242B46793A700,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECEC61657EF4B97CCFDB91B6FF61F16,SHA256=D3805AC0B33E11D30B86B9EA93818C10B975AB7075A920151FE5B4BE37CD9256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC6DB7D5148CAB59D6BF9CCF736F9E0,SHA256=A73E8EFF92BC145E3C3A9ED9C791D0EC8499D51B981624DB4F15F00B3F349A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:51.856{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61997-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
10341000x800000000000000035127220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x800000000000000035127214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.540{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x800000000000000035127213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:27.525{B81B27B7-821B-613A-A496-03000000C801}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000035127225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:28.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546DE5E778B631D292D4BB5654B600C9,SHA256=3F97D23E850B7D3626B4737079B07A2DAB61C72B5170395599876D189DCE37CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:54.317{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local61998-false10.0.1.12-8000-
23542300x800000000000000035127227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:30.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DF501BE93BD6B31D2F2805D9D1A93E,SHA256=EADE236D8A9844181AB1CADEF7EEE3EA89BC2F3A2FB481CC7385DAAE1C0F6EE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:31.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711D66106C32C9B3C93DA1226F1E89BC,SHA256=3965FF033AC285FD781974F62F9857797459091D648EA3F0D19DFC5A787BEDD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:32.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCDD7D4A3591A8BC8ABA241F7F51D589,SHA256=08908444D22C7A4E577AEB89BEE944D9CF2C1C887442D9C844769E97D6CC84DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
23542300x800000000000000035127229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:32.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BD8DAD3A03EFD3ABA8E9AAA1D6DE90,SHA256=2F0BF7C0BB46514551D78DC5F73DA9D65F85CAF28C1484AC65503037567FEDD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:57.864{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local61999-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https
10341000x800000000000000035127234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.069{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.069{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x800000000000000035127232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.069{B81B27B7-4012-611D-0C00-00000000C801}7322020C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x800000000000000035127231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:33.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14CCEC835579C3F2EC42B3A4206784D,SHA256=F35181C1D2938B358BD6782AC55EF0B094ED4B8D3C31665C61C277C6E9A35AB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space
354300x800000000000000035127237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:59.400{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62000-false10.0.1.12-8000-
23542300x800000000000000035127236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 21:52:34.103{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\Win