23542300x80000000000000002383230Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:29.200{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DADD767446A14FF3A37E15B80E0B31E,SHA256=D8DF1FA2F381F9AA163738C653C11AF75E73F5ECE3CEF9CB201DD6B6572F0375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002383241Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383240Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383239Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383238Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383237Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383236Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383235Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383234Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 354300x80000000000000002383233Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:29.870{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25297-false10.0.1.12-8000- 354300x80000000000000002383248Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.808{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25299-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383247Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.808{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25299-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383246Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.067{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25298-false10.0.1.14win-dc-622.attackrange.local64327- 354300x80000000000000002383245Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.067{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25298-false10.0.1.14win-dc-622.attackrange.local64327- 10341000x80000000000000002383244Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.297{9A05EE67-DA3B-6050-2900-00000000B001}261219680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\mswsock.dll+14729|C:\Windows\System32\WS2_32.dll+2a103|C:\Windows\System32\WS2_32.dll+2a01c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+800818|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+83fcfe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel\595b2406c071095f7301a6d37a9e77bd\System.ServiceModel.ni.dll+11dce8f|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+58670|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+52225|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d930|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d816|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d5dc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+519fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56326|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+570e6|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+5739e|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56803|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56121|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56bb8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\0a21e2e771673eaddf55cd08eb990345\System.ServiceModel.Internals.ni.dll+ffc2000d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+310906|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58dd95 10341000x80000000000000002383243Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.261{9A05EE67-DA3B-6050-2900-00000000B001}261219680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\mswsock.dll+14729|C:\Windows\System32\WS2_32.dll+2a103|C:\Windows\System32\WS2_32.dll+2a01c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+800818|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+83fcfe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel\595b2406c071095f7301a6d37a9e77bd\System.ServiceModel.ni.dll+11dce8f|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+58670|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+52225|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d930|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d816|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d5dc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+519fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56326|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+570e6|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+5739e|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56803|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56121|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56bb8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\0a21e2e771673eaddf55cd08eb990345\System.ServiceModel.Internals.ni.dll+ffc2000d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+310906|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58dd95 23542300x80000000000000002383242Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.042{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36D02BC5EBDF3AC0F0819DDCA955A924,SHA256=84DBC8EA397744BC65B142AB4E8E2FBED1C938762340BBD280EC04E7B9F40312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002383254Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.953{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exeNT AUTHORITY\LOCAL SERVICEtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25301-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 354300x80000000000000002383253Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.953{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25301-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 354300x80000000000000002383252Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.926{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exeNT AUTHORITY\LOCAL SERVICEtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25300-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 354300x80000000000000002383251Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.926{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25300-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 10341000x80000000000000002383250Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:33.229{9A05EE67-DA28-6050-0B00-00000000B001}85215708C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002383249Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:33.229{9A05EE67-DA28-6050-0B00-00000000B001}85215708C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002383258Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.895{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25303-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002383257Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.895{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25303-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002383256Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.886{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse127.0.0.1win-dc-622.attackrange.local25302-false127.0.0.1win-dc-622.attackrange.local443https 354300x80000000000000002383255Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.886{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse127.0.0.1win-dc-622.attackrange.local25302-false127.0.0.1win-dc-622.attackrange.local443https 23542300x80000000000000002383533Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.979{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=819E0A976F5FF6A1BA10A8D74E969EFE,SHA256=A06426A420B2B353EAF5A64A17649DFFBC71C5539D735DDD33825E133510A7E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002383532Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383531Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383530Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383529Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383528Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383527Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383526Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383525Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383524Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383523Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383522Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383521Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383520Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383519Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383518Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383517Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383516Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383515Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383514Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383513Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383512Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383511Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383510Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383509Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383508Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383507Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383506Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383505Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383504Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383503Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383502Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383501Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383500Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383499Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383498Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383497Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383496Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383495Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383494Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383493Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383492Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383491Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383490Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383489Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383488Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383487Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383486Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383485Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383484Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383483Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383482Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383481Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383480Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383479Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383478Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383477Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383476Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383475Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383474Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383473Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383472Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383471Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383470Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383469Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383468Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383467Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383466Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383465Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383464Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383463Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383462Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383461Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383460Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383459Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383458Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383457Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383456Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383455Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383454Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383453Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383452Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383451Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383450Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383449Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383448Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383447Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383446Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383445Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383444Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383443Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383442Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383441Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383440Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383439Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383438Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383437Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383436Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383435Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383434Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383433Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383432Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383431Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383430Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383429Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383428Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383427Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383426Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383425Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383424Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383423Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383422Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383421Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383420Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383419Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383418Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383417Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383416Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383415Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383414Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383413Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383412Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383411Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383410Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383409Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383408Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383407Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383406Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383405Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383404Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383403Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383402Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383401Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383400Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383399Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383398Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383397Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383396Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383395Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383394Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383393Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383392Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383391Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383390Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383389Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383388Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383387Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383386Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383385Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383384Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383383Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383382Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383381Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383380Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383379Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383378Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383377Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383376Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383375Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383374Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383373Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383372Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383371Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383370Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383369Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383368Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383367Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383366Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383365Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383364Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383363Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383362Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383361Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383360Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383359Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383358Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383357Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383356Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383355Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383354Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383353Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383352Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383351Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383350Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383349Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383348Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383347Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383346Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383345Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383344Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383343Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383342Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383341Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383340Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383339Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383338Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383337Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383336Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383335Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383334Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383333Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383332Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383331Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383330Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383329Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383328Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383327Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383326Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383325Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383324Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383323Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383322Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383321Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383320Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383319Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383318Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383317Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383316Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383315Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383314Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383313Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383312Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383311Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383310Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383309Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383308Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383307Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383306Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383305Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383304Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383303Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383302Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383301Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383300Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383299Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383298Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383297Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383296Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383295Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383294Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383293Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383292Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383291Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383290Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383289Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383288Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383287Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383286Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383285Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383284Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383283Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383282Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383281Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383280Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383279Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383278Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383277Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383276Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383275Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383274Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383273Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383272Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383271Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383270Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383269Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383268Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383267Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383266Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383265Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383264Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383263Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383262Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383261Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383260Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383259Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383546Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.979{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+602a3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383545Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.964{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383544Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.964{9A05EE67-2598-6051-7823-00000000B001}206364816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6845|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6376|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+55bea|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+560eb|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+8db654|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383543Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.903{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383542Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.903{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383541Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-1F7A-6051-0D21-00000000B001}233964636C:\Windows\system32\conhost.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383540Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383539Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383538Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383537Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383536Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA28-6050-0500-00000000B001}636652C:\Windows\system32\csrss.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002383535Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-1F79-6051-0921-00000000B001}2615225328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002383534Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.715{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe8.0.2Monitor windows hostsplunk ApplicationSplunk Inc.splunk-winhostmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9A05EE67-DA29-6050-E703-000000000000}0x3e70SystemMD5=6905A24BF9B6295BD2422337204977D6,SHA256=2B86EC7EBCE7C0A3A77BA1A9B60B67BDA07778DF9E33E89065460BA059BC5A64,IMPHASH=B8203BDD5C47E5110CE749A0AD73B071{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002383559Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.979{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383558Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.979{9A05EE67-2599-6051-7923-00000000B001}1930823580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6845|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6376|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+55bea|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+560eb|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+8db654|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383557Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.776{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000002383556Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.776{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002383555Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-1F7A-6051-0D21-00000000B001}233964636C:\Windows\system32\conhost.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383554Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383553Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383552Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383551Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383550Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA28-6050-0500-00000000B001}636652C:\Windows\system32\csrss.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002383549Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-1F79-6051-0921-00000000B001}2615225328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002383548Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.733{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe8.0.2Monitor windows hostsplunk ApplicationSplunk Inc.splunk-winhostmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9A05EE67-DA29-6050-E703-000000000000}0x3e70SystemMD5=6905A24BF9B6295BD2422337204977D6,SHA256=2B86EC7EBCE7C0A3A77BA1A9B60B67BDA07778DF9E33E89065460BA059BC5A64,IMPHASH=B8203BDD5C47E5110CE749A0AD73B071{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002383547Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.745{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25304-false10.0.1.12-8000- 23542300x80000000000000002383705Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.542{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98A84C9C6A0F3EA4B8F055594D355D8A,SHA256=2C764F9730BECEF93C5DE327237CBAB54BA1404F146DD4CBFFF5F59F1FF8AA6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002383704Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.568{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25307-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383703Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.568{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25307-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383702Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.564{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25306-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383701Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.564{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25306-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383700Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.560{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25305-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383699Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.560{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25305-false10.0.1.14win-dc-622.attackrange.local389ldap 10341000x80000000000000002383698Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.099{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383697Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.099{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383696Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.098{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383695Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.098{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383694Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.097{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383693Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.097{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383692Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.096{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383691Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.095{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383690Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.095{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383689Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.094{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383688Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.093{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383687Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.093{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383686Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.092{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383685Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.092{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383684Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.091{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383683Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.090{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383682Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.090{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383681Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.089{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383680Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.089{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383679Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383678Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383677Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383676Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383675Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383674Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383673Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383672Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383671Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383670Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383669Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383668Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383667Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383666Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383665Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383664Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383663Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383662Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383661Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383660Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383659Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383658Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383657Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383656Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383655Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383654Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383653Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383652Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383651Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383650Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383649Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383648Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383647Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383646Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383645Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383644Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383643Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383642Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383641Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383640Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383639Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383638Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383637Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383636Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383635Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383634Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383633Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383632Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383631Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383630Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383629Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383628Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383627Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383626Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383625Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383624Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383623Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383622Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383621Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383620Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383619Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383618Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383617Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383616Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383615Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383614Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383613Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383612Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383611Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383610Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383609Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383608Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383607Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383606Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383605Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383604Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383603Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383602Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383601Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383600Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383599Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383598Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383597Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383596Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383595Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383594Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383593Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383592Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383591Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383590Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383589Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383588Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383587Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383586Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383585Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383584Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383583Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383582Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383581Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383580Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Wind