10341000x80000000000000001324530Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.814{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A4-604A-8500-00000000B001}5444C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324529Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.814{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A4-604A-8500-00000000B001}5444C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324528Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.814{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A4-604A-7E00-00000000B001}4504C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324527Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.813{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A4-604A-7E00-00000000B001}4504C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324526Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.813{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324525Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.812{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324524Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.812{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A2-604A-6800-00000000B001}4840C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324523Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.812{110B94A8-E39E-604A-2800-00000000B001}23485456C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{110B94A8-E3A2-604A-6800-00000000B001}4840C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9A68348F0)
10341000x80000000000000001324522Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.715{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E99C-604A-1E05-00000000B001}18092C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324521Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.715{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E920-604A-0805-00000000B001}18668C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324520Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.715{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E8F7-604A-0305-00000000B001}5084C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324519Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.714{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E891-604A-F404-00000000B001}10920C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324518Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.714{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E822-604A-1D02-00000000B001}20304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324517Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.714{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E822-604A-1C02-00000000B001}10388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324516Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.714{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E7B5-604A-0802-00000000B001}19644C:\Users\Administrator\Desktop\paypal.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324515Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.714{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E526-604A-7701-00000000B001}17996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324514Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.713{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E526-604A-7601-00000000B001}11840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324513Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.713{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324512Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.712{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324511Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.712{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324510Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.711{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324509Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.711{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324508Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.710{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324507Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.710{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324506Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.709{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324505Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.709{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324504Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.708{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324503Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.708{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E452-604A-3401-00000000B001}12216C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324502Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.708{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E44D-604A-3101-00000000B001}2308C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324501Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.708{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324500Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.708{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E44A-604A-2F01-00000000B001}10432C:\Windows\system32\wbem\WmiApSrv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324499Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.707{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E443-604A-2701-00000000B001}9888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324498Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.707{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E442-604A-2601-00000000B001}9436C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324497Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.707{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324496Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.706{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324495Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.706{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E402-604A-0B01-00000000B001}13776C:\Windows\system32\fontdrvhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324494Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.705{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3FE-604A-0601-00000000B001}6600c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324493Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.705{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E7-604A-F200-00000000B001}12872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324492Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.705{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E7-604A-F100-00000000B001}11336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324491Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.705{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E6-604A-EF00-00000000B001}5460C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324490Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.705{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E5-604A-E900-00000000B001}13120C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324489Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.704{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E5-604A-E600-00000000B001}13012C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324488Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.704{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E3-604A-E300-00000000B001}10196C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324487Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.704{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E2-604A-E100-00000000B001}11476C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324486Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.704{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E2-604A-E000-00000000B001}11560C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324485Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.704{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324484Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.703{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324483Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.703{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324482Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.702{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324481Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.701{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324480Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.701{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324479Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.700{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324478Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.700{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324477Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.699{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324476Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.699{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C6-604A-C300-00000000B001}8120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324475Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.699{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324474Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.698{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324473Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.698{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3BC-604A-BB00-00000000B001}8716C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324472Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.698{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3BC-604A-B900-00000000B001}8000C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324471Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.698{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3BB-604A-B800-00000000B001}7656C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324470Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.697{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324469Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.697{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324468Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.697{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324467Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.696{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324466Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.696{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324465Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.695{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324464Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.694{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324463Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.694{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324462Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.694{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324461Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.693{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A200-00000000B001}6196C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324460Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.693{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324459Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.692{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3AF-604A-9E00-00000000B001}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324458Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.692{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3AD-604A-9A00-00000000B001}5172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324457Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.692{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324456Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.692{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A8-604A-9300-00000000B001}5740C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324455Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.691{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324454Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.691{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A4-604A-8500-00000000B001}5444C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324453Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.690{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A4-604A-7E00-00000000B001}4504C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324452Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.690{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324451Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.690{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A3-604A-6F00-00000000B001}4604C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324450Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.689{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A2-604A-6A00-00000000B001}4576C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324449Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.689{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A2-604A-6800-00000000B001}4840C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324448Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.689{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A2-604A-6700-00000000B001}4932C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324447Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.689{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A0-604A-5000-00000000B001}4972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324446Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.689{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39F-604A-4600-00000000B001}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324445Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.688{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324444Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.688{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3F00-00000000B001}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324443Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.688{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3E00-00000000B001}4032C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324442Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.688{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3C00-00000000B001}3832C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324441Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.688{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3A00-00000000B001}2748C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324440Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.687{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3900-00000000B001}2912C:\Windows\system32\inetsrv\wmsvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324439Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.687{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324438Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3700-00000000B001}92C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324437Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3600-00000000B001}2300C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324436Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3500-00000000B001}2160C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324435Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3400-00000000B001}2764C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324434Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3300-00000000B001}2296C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324433Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3200-00000000B001}2732C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324432Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3100-00000000B001}2120C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324431Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3000-00000000B001}2352C:\Windows\system32\mqsvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324430Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.686{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2F00-00000000B001}2368C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324429Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.685{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2E00-00000000B001}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324428Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.685{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2D00-00000000B001}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324427Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.685{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2C00-00000000B001}2316C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324426Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.685{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2B00-00000000B001}2524C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324425Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.685{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2A00-00000000B001}2508C:\Windows\system32\inetsrv\inetinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324424Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.685{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2900-00000000B001}2456C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324423Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.684{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2800-00000000B001}2348C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324422Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.684{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2700-00000000B001}2360C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324421Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.678{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2600-00000000B001}2540C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324420Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.678{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2500-00000000B001}2964C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324419Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.678{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39A-604A-2300-00000000B001}2820C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324418Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.678{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-2100-00000000B001}2248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324417Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.678{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1700-00000000B001}1528C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324416Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.678{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1600-00000000B001}1516C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324415Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.677{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1500-00000000B001}1392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324414Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.677{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1400-00000000B001}1372C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324413Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.677{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1300-00000000B001}1224C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325355Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.761{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E99C-604A-1E05-00000000B001}18092C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325354Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.761{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E920-604A-0805-00000000B001}18668C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325353Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.761{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E8F7-604A-0305-00000000B001}5084C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325352Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.761{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E891-604A-F404-00000000B001}10920C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325351Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.761{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E822-604A-1D02-00000000B001}20304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325350Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.760{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E822-604A-1C02-00000000B001}10388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325349Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.760{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E7B5-604A-0802-00000000B001}19644C:\Users\Administrator\Desktop\paypal.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325348Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.760{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E526-604A-7701-00000000B001}17996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325347Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.759{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E526-604A-7601-00000000B001}11840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325346Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.759{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325345Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.759{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325344Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.758{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325343Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.757{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325342Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.757{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325341Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.757{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325340Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.756{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325339Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.756{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325338Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.755{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325337Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.755{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325336Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.754{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E452-604A-3401-00000000B001}12216C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325335Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.754{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E44D-604A-3101-00000000B001}2308C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325334Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.754{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325333Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.754{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E44A-604A-2F01-00000000B001}10432C:\Windows\system32\wbem\WmiApSrv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325332Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.753{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E443-604A-2701-00000000B001}9888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325331Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.753{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E442-604A-2601-00000000B001}9436C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325330Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.753{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325329Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.752{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325328Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.752{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E402-604A-0B01-00000000B001}13776C:\Windows\system32\fontdrvhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325327Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.751{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3FE-604A-0601-00000000B001}6600c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325326Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.751{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E7-604A-F200-00000000B001}12872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325325Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.751{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E7-604A-F100-00000000B001}11336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325324Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.751{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E6-604A-EF00-00000000B001}5460C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325323Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.751{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E5-604A-E900-00000000B001}13120C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325322Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.750{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E5-604A-E600-00000000B001}13012C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325321Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.750{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E3-604A-E300-00000000B001}10196C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325320Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.750{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E2-604A-E100-00000000B001}11476C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325319Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.750{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3E2-604A-E000-00000000B001}11560C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325318Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.749{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325317Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.749{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325316Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.748{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325315Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.748{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325314Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.747{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325313Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.747{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325312Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.746{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325311Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.745{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325310Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.745{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325309Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.745{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C6-604A-C300-00000000B001}8120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325308Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.744{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325307Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.744{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325306Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.744{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3BC-604A-BB00-00000000B001}8716C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325305Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.744{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3BC-604A-B900-00000000B001}8000C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325304Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.744{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3BB-604A-B800-00000000B001}7656C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325303Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.743{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325302Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.743{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325301Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.742{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325300Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.742{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325299Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.741{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325298Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.741{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325297Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.740{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325296Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.740{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325295Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.739{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325294Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.739{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-A200-00000000B001}6196C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325293Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.738{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325292Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.738{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3AF-604A-9E00-00000000B001}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325291Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.738{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3AD-604A-9A00-00000000B001}5172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325290Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.738{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325289Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.737{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A8-604A-9300-00000000B001}5740C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325288Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.737{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325287Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.736{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A4-604A-8500-00000000B001}5444C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325286Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.736{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A4-604A-7E00-00000000B001}4504C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325285Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.735{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325284Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.735{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A3-604A-6F00-00000000B001}4604C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325283Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.735{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A2-604A-6A00-00000000B001}4576C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325282Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.735{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A2-604A-6800-00000000B001}4840C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325281Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.735{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A2-604A-6700-00000000B001}4932C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325280Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.735{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E3A0-604A-5000-00000000B001}4972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325279Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.734{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39F-604A-4600-00000000B001}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325278Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.734{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325277Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.734{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3F00-00000000B001}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325276Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.734{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3E00-00000000B001}4032C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325275Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.734{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3C00-00000000B001}3832C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325274Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.733{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3A00-00000000B001}2748C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325273Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.733{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3900-00000000B001}2912C:\Windows\system32\inetsrv\wmsvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325272Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.733{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325271Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3700-00000000B001}92C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325270Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3600-00000000B001}2300C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325269Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3500-00000000B001}2160C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325268Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3400-00000000B001}2764C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325267Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3300-00000000B001}2296C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325266Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3200-00000000B001}2732C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325265Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3100-00000000B001}2120C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325264Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-3000-00000000B001}2352C:\Windows\system32\mqsvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325263Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.732{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2F00-00000000B001}2368C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325262Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.731{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2E00-00000000B001}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325261Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.731{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2D00-00000000B001}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325260Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.731{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2C00-00000000B001}2316C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325259Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.731{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2B00-00000000B001}2524C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325258Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.731{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2A00-00000000B001}2508C:\Windows\system32\inetsrv\inetinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325257Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.731{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2900-00000000B001}2456C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325256Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.730{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2800-00000000B001}2348C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325255Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.730{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2700-00000000B001}2360C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325254Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.724{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2600-00000000B001}2540C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325253Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.724{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39E-604A-2500-00000000B001}2964C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325252Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.724{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E39A-604A-2300-00000000B001}2820C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325251Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.724{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-2100-00000000B001}2248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325250Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.724{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1700-00000000B001}1528C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325249Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.724{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1600-00000000B001}1516C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325248Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1500-00000000B001}1392C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325247Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1400-00000000B001}1372C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325246Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1300-00000000B001}1224C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325245Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1200-00000000B001}1184C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325244Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325243Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325242Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325241Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.723{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E391-604A-0E00-00000000B001}1076C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325240Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E390-604A-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325239Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E390-604A-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325238Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38E-604A-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325237Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38E-604A-0A00-00000000B001}844C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325236Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38E-604A-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a07aa|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325235Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38E-604A-0800-00000000B001}716C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325234Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.722{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38E-604A-0700-00000000B001}708C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325233Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.721{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38E-604A-0500-00000000B001}636C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325232Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.721{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38C-604A-0200-00000000B001}448C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325231Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.721{110B94A8-E892-604A-F504-00000000B001}304011108C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe{110B94A8-E38C-604A-0100-00000000B001}4System0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ca4|C:\Windows\System32\KERNELBASE.dll+25803|C:\Windows\System32\KERNEL32.DLL+169c0|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+a0806|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+7c258|C:\Users\ADMINI~1\AppData\Local\Temp\2\procexp64.exe+bcf89|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x80000000000000001325230Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:45.378{110B94A8-E920-604A-0805-00000000B001}18668C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-293.attackrange.local36912-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
10341000x80000000000000001325229Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.377{110B94A8-E390-604A-0C00-00000000B001}5841040C:\Windows\system32\svchost.exe{110B94A8-E3E7-604A-F100-00000000B001}11336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325228Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.377{110B94A8-E390-604A-0C00-00000000B001}5841040C:\Windows\system32\svchost.exe{110B94A8-E3E7-604A-F200-00000000B001}12872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+33ac3|C:\Windows\SYSTEM32\psmserviceexthost.dll+3283b|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325227Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.377{110B94A8-E390-604A-0C00-00000000B001}5841040C:\Windows\system32\svchost.exe{110B94A8-E3E7-604A-F100-00000000B001}11336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325226Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.377{110B94A8-E390-604A-0C00-00000000B001}5841040C:\Windows\system32\svchost.exe{110B94A8-E3E7-604A-F200-00000000B001}12872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+3280d|C:\Windows\SYSTEM32\psmserviceexthost.dll+22d9f|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325225Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.228{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325224Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.228{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325223Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.227{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325222Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.227{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325221Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.227{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325220Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.227{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325219Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.227{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325218Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325217Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325216Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325215Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325214Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325213Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325212Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325211Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325210Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325209Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.225{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325208Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325207Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325206Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325205Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325204Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325203Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325202Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325201Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.223{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325200Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325199Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325198Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325197Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325196Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325195Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325194Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325193Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325192Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325191Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325190Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325189Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.221{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325188Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325187Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325186Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325185Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325184Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325183Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325182Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325181Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325180Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325179Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325178Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.220{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325177Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325176Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325175Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325174Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325173Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325172Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325171Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325170Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325169Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325168Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325167Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325166Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325165Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325164Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325163Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325162Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325161Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325160Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325159Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.219{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325158Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325157Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325156Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325155Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325154Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325153Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325152Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325151Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325150Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325149Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325148Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325147Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325146Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325145Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325144Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325143Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325142Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.218{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325141Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325140Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325139Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325138Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325137Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325136Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325135Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325134Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325133Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325132Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325131Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325130Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325129Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325128Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325127Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325126Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325125Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325124Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.217{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325123Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325122Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3FE-604A-0601-00000000B001}6600c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325121Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325120Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325119Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325118Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325117Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325116Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325115Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325114Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325113Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325112Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325111Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325110Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325109Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325108Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325107Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325106Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.216{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325105Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325104Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325103Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325102Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325101Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325100Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325099Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325098Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325097Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39F-604A-4000-00000000B001}4272C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325096Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325095Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325094Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.215{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325093Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AE00-00000000B001}6324C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325092Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325091Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325090Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325089Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325088Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A5-604A-9000-00000000B001}6076C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325087Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325086Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325085Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3AD-604A-9900-00000000B001}5760C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325084Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325083Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325082Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A500-00000000B001}6220C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325081Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325080Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325079Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E39E-604A-3800-00000000B001}2904C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325078Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325077Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325076Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.214{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-B200-00000000B001}6412C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325075Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325074Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325073Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325072Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325071Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325070Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325069Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325068Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325067Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325066Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325065Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325064Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E44A-604A-3001-00000000B001}11324c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325063Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4501-00000000B001}14248c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325062Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325061Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47D-604A-4601-00000000B001}6444c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325060Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325059Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325058Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E47B-604A-4401-00000000B001}5936c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325057Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.213{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325056Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325055Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C9-604A-C800-00000000B001}10048c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325054Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325053Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325052Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325051Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D400-00000000B001}10668C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325050Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325049Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D000-00000000B001}10636C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325048Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325047Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325046Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D300-00000000B001}10660C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325045Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325044Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325043Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325042Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325041Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325040Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.212{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3701-00000000B001}10332c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325039Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325038Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325037Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325036Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325035Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325034Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D500-00000000B001}10676C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325033Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325032Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325031Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-9F00-00000000B001}6172C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325030Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325029Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325028Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A300-00000000B001}6204C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325027Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325026Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325025Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D4-604A-D600-00000000B001}11712C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325024Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325023Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325022Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E489-604A-5001-00000000B001}17268c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325021Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325020Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.211{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325019Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3DC-604A-DA00-00000000B001}2520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325018Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325017Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325016Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A4-604A-5801-00000000B001}9384c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325015Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325014Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325013Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4A0-604A-5401-00000000B001}14196c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325012Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3FE-604A-0601-00000000B001}6600c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325011Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3FE-604A-0601-00000000B001}6600c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325010Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3FE-604A-0601-00000000B001}6600c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325009Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325008Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325007Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A800-00000000B001}6244C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325006Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325005Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325004Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AD00-00000000B001}6300C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325003Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325002Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.210{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325001Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-A600-00000000B001}6228C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001325000Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324999Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324998Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E42B-604A-2001-00000000B001}14628c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324997Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324996Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324995Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E434-604A-2301-00000000B001}15084c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324994Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324993Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324992Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E45C-604A-3801-00000000B001}2808c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324991Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324990Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324989Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AC00-00000000B001}6280C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324988Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324987Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324986Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E7-604A-6401-00000000B001}15828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324985Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.209{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324984Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324983Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E4E8-604A-6501-00000000B001}16068C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324982Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324981Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324980Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3A4-604A-7D00-00000000B001}4888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324979Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324978Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.208{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324977Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.199{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324976Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.199{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324975Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324974Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324973Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324972Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324971Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324970Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324969Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324968Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C2-604A-BF00-00000000B001}7600C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324967Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324966Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324965Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324964Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.198{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324963Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324962Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324961Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324960Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3B0-604A-AF00-00000000B001}6332C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324959Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324958Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324957Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D100-00000000B001}10644C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324956Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324955Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324954Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.197{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324953Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324952Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324951Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324950Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324949Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324948Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324947Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.196{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324946Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.194{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324945Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.194{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324944Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.194{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324943Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.194{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324942Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324941Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324940Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324939Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324938Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324937Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324936Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324935Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324934Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324933Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324932Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324931Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324930Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.193{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324929Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.192{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3C6-604A-C200-00000000B001}7008C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324928Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324927Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324926Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324925Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324924Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324923Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324922Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.189{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324921Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324920Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324919Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324918Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324917Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324916Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324915Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324914Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324913Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324912Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.188{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324911Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.187{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324910Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.187{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+275a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+1954|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+4fcc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+44bc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+6b74|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x80000000000000001324909Microsoft-Windows-Sysmon/Operationalwin-dc-293.attackrange.local-2021-03-12 04:10:46.187{110B94A8-E44D-604A-3101-00000000B001}2308172C:\Windows\system32\rundll32.exe{110B94A8-E3D0-604A-D200-00000000B001}10652